NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade Ubuntu:20.04 expat to version 2.2.9-1ubuntu0.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45491
• https://github.com/libexpat/libexpat/issues/888
• https://github.com/libexpat/libexpat/pull/891
• https://security.netapp.com/advisory/ntap-20241018-0003/
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade Ubuntu:20.04 expat to version 2.2.9-1ubuntu0.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45492
• https://github.com/libexpat/libexpat/issues/889
• https://github.com/libexpat/libexpat/pull/892
• https://security.netapp.com/advisory/ntap-20241018-0005/
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009.

Remediation

Upgrade Ubuntu:20.04 openssh to version 1:8.2p1-4ubuntu0.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-38408
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/
• http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html
• http://www.openwall.com/lists/oss-security/2023/07/20/1
• http://www.openwall.com/lists/oss-security/2023/07/20/2
• http://www.openwall.com/lists/oss-security/2023/09/22/11
• http://www.openwall.com/lists/oss-security/2023/09/22/9
• https://blog.qualys.com/vulnerabilities-threat-research/2023/07/19/cve-2023-38408-remote-code-execution-in-opensshs-forwarded-ssh-agent
• https://github.com/openbsd/src/commit/7bc29a9d5cd697290aa056e94ecee6253d3425f8
• https://github.com/openbsd/src/commit/f03a4faa55c4ce0818324701dadbf91988d7351d
• https://github.com/openbsd/src/commit/f8f5a6b003981bb824329dc987d101977beda7ca
• https://lists.debian.org/debian-lts-announce/2023/08/msg00021.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEBTJJINE2I3FHAUKKNQWMFGYMLSMWKQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAXVQS6ZYTULFAK3TEJHRLKZALJS3AOU/
• https://news.ycombinator.com/item?id=36790196
• https://security.gentoo.org/glsa/202307-01
• https://security.netapp.com/advisory/ntap-20230803-0010/
• https://support.apple.com/kb/HT213940
• https://www.openssh.com/security.html
• https://www.openssh.com/txt/release-9.3p2
• https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt
• https://www.vicarius.io/vsociety/posts/exploring-opensshs-agent-forwarding-rce-cve-2023-38408
• https://github.com/kali-mx/CVE-2023-38408

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

Remediation

Upgrade Ubuntu:20.04 sqlite3 to version 3.31.1-4ubuntu0.7+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6965
• https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
• http://seclists.org/fulldisclosure/2025/Sep/49
• http://seclists.org/fulldisclosure/2025/Sep/53
• http://seclists.org/fulldisclosure/2025/Sep/56
• http://seclists.org/fulldisclosure/2025/Sep/57
• http://seclists.org/fulldisclosure/2025/Sep/58
• http://www.openwall.com/lists/oss-security/2025/09/06/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-37371
• https://security.netapp.com/advisory/ntap-20241108-0009/
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://security.netapp.com/advisory/ntap-20250124-0010/
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Remediation

Upgrade Ubuntu:20.04 wget to version 1.20.3-1ubuntu2.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-38428
• https://security.netapp.com/advisory/ntap-20241115-0005/
• https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace
• https://lists.debian.org/debian-lts-announce/2025/04/msg00029.html
• https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.13 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-32002
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgt
• https://git-scm.com/docs/git-config#Documentation/git-config.txt-coresymlinks
• https://github.com/git/git/commit/97065761333fd62db1912d81b489db938d8c991d
• https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgv
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/
• https://github.com/amalmurali47/git_rce

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-3596
• https://security.netapp.com/advisory/ntap-20240822-0001/
• https://today.ucsd.edu/story/computer-scientists-discover-vulnerabilities-in-a-popular-security-protocol
• https://cert-portal.siemens.com/productcert/html/ssa-723487.html
• https://cert-portal.siemens.com/productcert/html/ssa-794185.html
• http://www.openwall.com/lists/oss-security/2024/07/09/4
• https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
• https://datatracker.ietf.org/doc/html/rfc2865
• https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014
• https://www.blastradius.fail/
• https://www.kb.cert.org/vuls/id/456537

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered in binutils libbfd.c 2.36 relating to the auxiliary symbol data allows attackers to read or write to system memory or cause a denial of service.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-19726
• https://sourceware.org/bugzilla/show_bug.cgi?id=26240
• https://sourceware.org/bugzilla/show_bug.cgi?id=26241

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

Remediation

There is no fixed version for Ubuntu:20.04 git.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
• https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
• https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32988
• https://access.redhat.com/security/cve/CVE-2025-32988
• https://bugzilla.redhat.com/show_bug.cgi?id=2359622
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32990
• https://access.redhat.com/security/cve/CVE-2025-32990
• https://bugzilla.redhat.com/show_bug.cgi?id=2359620
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Remediation

Upgrade Ubuntu:20.04 freetype to version 2.10.1-2ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-27363
• https://www.facebook.com/security/advisories/cve-2025-27363
• http://www.openwall.com/lists/oss-security/2025/03/13/1
• http://www.openwall.com/lists/oss-security/2025/03/13/11
• http://www.openwall.com/lists/oss-security/2025/03/13/12
• http://www.openwall.com/lists/oss-security/2025/03/13/2
• http://www.openwall.com/lists/oss-security/2025/03/13/3
• http://www.openwall.com/lists/oss-security/2025/03/13/8
• http://www.openwall.com/lists/oss-security/2025/03/14/1
• http://www.openwall.com/lists/oss-security/2025/03/14/2
• http://www.openwall.com/lists/oss-security/2025/03/14/3
• http://www.openwall.com/lists/oss-security/2025/03/14/4
• http://www.openwall.com/lists/oss-security/2025/05/06/3
• https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
• https://source.android.com/docs/security/bulletin/2025-05-01
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-27363
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/tin-z/CVE-2025-27363

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-25646
• https://github.com/pnggroup/libpng/commit/01d03b8453eb30ade759cd45c707e5a1c7277d88
• http://www.openwall.com/lists/oss-security/2026/02/09/7
• https://github.com/pnggroup/libpng/security/advisories/GHSA-g8hp-mq4h-rqm3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.5+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5318
• https://access.redhat.com/security/cve/CVE-2025-5318
• https://bugzilla.redhat.com/show_bug.cgi?id=2369131
• https://www.libssh.org/security/advisories/CVE-2025-5318.txt
• https://access.redhat.com/errata/RHSA-2025:18231
• https://access.redhat.com/errata/RHSA-2025:18275
• https://access.redhat.com/errata/RHSA-2025:18286
• https://access.redhat.com/errata/RHSA-2025:19012
• https://access.redhat.com/errata/RHSA-2025:19098
• https://access.redhat.com/errata/RHSA-2025:19101
• https://access.redhat.com/errata/RHSA-2025:19400
• https://access.redhat.com/errata/RHSA-2025:19401
• https://access.redhat.com/errata/RHSA-2025:19470
• https://access.redhat.com/errata/RHSA-2025:19472
• https://access.redhat.com/errata/RHSA-2025:19295
• https://access.redhat.com/errata/RHSA-2025:19313
• https://access.redhat.com/errata/RHSA-2025:19300
• https://access.redhat.com/errata/RHSA-2025:19807
• https://access.redhat.com/errata/RHSA-2025:20943
• https://access.redhat.com/errata/RHSA-2025:21013
• https://access.redhat.com/errata/RHSA-2025:19864
• https://access.redhat.com/errata/RHSA-2025:21329
• https://access.redhat.com/errata/RHSA-2025:21829
• https://access.redhat.com/errata/RHSA-2025:22275
• https://access.redhat.com/errata/RHSA-2025:23078
• https://access.redhat.com/errata/RHSA-2025:23079
• https://access.redhat.com/errata/RHSA-2025:23080
• https://access.redhat.com/errata/RHSA-2026:0326
• https://access.redhat.com/errata/RHSA-2026:1541
• https://access.redhat.com/errata/RHSA-2026:3461
• https://access.redhat.com/errata/RHSA-2026:3462

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Remediation

Upgrade Ubuntu:20.04 perl to version 5.30.0-9ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-31484
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• http://www.openwall.com/lists/oss-security/2023/04/29/1
• http://www.openwall.com/lists/oss-security/2023/05/03/3
• http://www.openwall.com/lists/oss-security/2023/05/03/5
• http://www.openwall.com/lists/oss-security/2023/05/07/2
• https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
• https://github.com/andk/cpanpm/pull/175
• https://lists.debian.org/debian-lts-announce/2024/10/msg00017.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
• https://metacpan.org/dist/CPAN/changes
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://www.openwall.com/lists/oss-security/2023/04/18/14

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function bfd_mach_o_get_synthetic_symtab in match-o.c.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47695
• https://sourceware.org/bugzilla/show_bug.cgi?id=29846

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered Binutils objdump before 2.39.3 allows attackers to cause a denial of service or other unspecified impacts via function compare_symbols.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47696
• https://sourceware.org/bugzilla/show_bug.cgi?id=29677

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5244
• https://sourceware.org/bugzilla/attachment.cgi?id=16010
• https://sourceware.org/bugzilla/show_bug.cgi?id=32858
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5
• https://vuldb.com/?ctiid.310346
• https://vuldb.com/?id.310346
• https://vuldb.com/?submit.584634
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5245
• https://sourceware.org/bugzilla/attachment.cgi?id=16004
• https://sourceware.org/bugzilla/show_bug.cgi?id=32829
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a
• https://vuldb.com/?ctiid.310347
• https://vuldb.com/?id.310347
• https://vuldb.com/?submit.584635
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7545
• https://sourceware.org/bugzilla/attachment.cgi?id=16117
• https://sourceware.org/bugzilla/show_bug.cgi?id=33049
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944
• https://vuldb.com/?ctiid.316243
• https://vuldb.com/?id.316243
• https://vuldb.com/?submit.614355
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46".

Remediation

There is no fixed version for Ubuntu:20.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11083
• https://sourceware.org/bugzilla/attachment.cgi?id=16353
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490
• https://vuldb.com/?ctiid.326124
• https://vuldb.com/?id.326124
• https://vuldb.com/?submit.661277
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33457
• https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with "[f]ixed for 2.46".

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11082
• https://sourceware.org/bugzilla/attachment.cgi?id=16358
• https://sourceware.org/bugzilla/show_bug.cgi?id=33464
• https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8
• https://vuldb.com/?ctiid.326123
• https://vuldb.com/?id.326123
• https://vuldb.com/?submit.661276
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered in Binutils addr2line before 2.39.3, function parse_module contains multiple out of bound reads which may cause a denial of service or other unspecified impacts.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47673
• https://sourceware.org/bugzilla/show_bug.cgi?id=29876

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Heap buffer overflow vulnerability in binutils readelf before 2.40 via function display_debug_section in file readelf.c.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-45703
• https://security.netapp.com/advisory/ntap-20231006-0003/
• https://sourceware.org/bugzilla/show_bug.cgi?id=29799

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Heap buffer overflow vulnerability in binutils readelf before 2.40 via function find_section_in_set in file readelf.c.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-44840
• https://sourceware.org/bugzilla/show_bug.cgi?id=29732

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.

Remediation

Upgrade Ubuntu:20.04 expat to version 2.2.9-1ubuntu0.8+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-25210
• https://github.com/libexpat/libexpat/pull/1075
• https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that are longer than 1024 characters can used to exploit a bug in config.c::git_config_copy_or_rename_section_in_file(). This bug can be used to inject arbitrary configuration into a user's $GIT_DIR/config when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as core.pager, core.editor, core.sshCommand, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running git submodule deinit on untrusted repositories or without prior inspection of any submodule sections in $GIT_DIR/config.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29007
• https://github.com/git/git/blob/9ce9dea4e1c2419cca126d29fa7730baa078a11b/Documentation/RelNotes/2.30.9.txt
• https://github.com/git/git/commit/528290f8c61222433a8cf02fb7cfffa8438432b4
• https://github.com/git/git/security/advisories/GHSA-v48j-4xgg-4844
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15
• https://github.com/ethiack/CVE-2023-29007

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-32004
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://git-scm.com/docs/git-clone
• https://github.com/git/git/commit/f4aa8c8bb11dae6e769cd930565173808cbb69c8
• https://github.com/git/git/security/advisories/GHSA-xfc6-vwr8-r389
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with git clone --no-local to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a .zip file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-32465
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://git-scm.com/docs/git#_security
• https://git-scm.com/docs/git-clone
• https://github.com/git/git/commit/7b70e9efb18c2cc3f219af399bd384c5801ba1d7
• https://github.com/git/git/security/advisories/GHSA-vm9j-46j9-qvq4
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream less package and not the less package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

close_altfile in filename.c in less before 606 omits shell_quote calls for LESSCLOSE.

Remediation

Upgrade Ubuntu:20.04 less to version 551-1ubuntu0.2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48624
• https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144
• https://github.com/gwsw/less/compare/v605...v606
• https://greenwoodsoftware.com/less/
• https://lists.debian.org/debian-lts-announce/2024/05/msg00018.html
• https://security.netapp.com/advisory/ntap-20240605-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-22801
• https://github.com/pnggroup/libpng/security/advisories/GHSA-vgjq-8cw5-ggw8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in libX11 due to an integer overflow within the XCreateImage() function. This flaw allows a local user to trigger an integer overflow and execute arbitrary code with elevated privileges.

Remediation

Upgrade Ubuntu:20.04 libx11 to version 2:1.6.9-2ubuntu1.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-43787
• http://www.openwall.com/lists/oss-security/2024/01/24/9
• https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/
• https://security.netapp.com/advisory/ntap-20231103-0006/
• https://access.redhat.com/errata/RHSA-2024:2145
• https://access.redhat.com/errata/RHSA-2024:2973
• https://access.redhat.com/security/cve/CVE-2023-43787
• https://bugzilla.redhat.com/show_bug.cgi?id=2242254
• https://lists.debian.org/debian-lts-announce/2023/10/msg00005.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade Ubuntu:20.04 ncurses to version 6.2-0ubuntu2.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-29491
• http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commit;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%3Bh=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
• http://www.openwall.com/lists/oss-security/2023/04/19/10
• http://www.openwall.com/lists/oss-security/2023/04/19/11
• https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
• https://security.netapp.com/advisory/ntap-20230517-0009/
• https://support.apple.com/kb/HT213843
• https://support.apple.com/kb/HT213844
• https://support.apple.com/kb/HT213845
• https://www.openwall.com/lists/oss-security/2023/04/12/5
• https://www.openwall.com/lists/oss-security/2023/04/13/4

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:20.04 pam.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
• https://access.redhat.com/security/cve/CVE-2025-8941
• https://bugzilla.redhat.com/show_bug.cgi?id=2388220
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15100
• https://access.redhat.com/errata/RHSA-2025:15104
• https://access.redhat.com/errata/RHSA-2025:15107
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15101
• https://access.redhat.com/errata/RHSA-2025:15102
• https://access.redhat.com/errata/RHSA-2025:15103
• https://access.redhat.com/errata/RHSA-2025:15105
• https://access.redhat.com/errata/RHSA-2025:15106
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:21885

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in perl 5.30.0 through 5.38.0. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

Remediation

Upgrade Ubuntu:20.04 perl to version 5.30.0-9ubuntu0.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-47038
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/
• https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property
• https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
• https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
• https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
• https://github.com/aquasecurity/trivy/discussions/8400
• https://ubuntu.com/security/CVE-2023-47100
• https://www.suse.com/security/cve/CVE-2023-47100.html
• https://access.redhat.com/errata/RHSA-2024:2228
• https://access.redhat.com/errata/RHSA-2024:3128
• https://access.redhat.com/security/cve/CVE-2023-47038
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746
• https://bugzilla.redhat.com/show_bug.cgi?id=2249523
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMDZZ4SCEW6FRWZDMXGAKZ35THTAWFG6/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability, which was classified as problematic, was found in GNU Binutils up to 2.43. This affects the function disassemble_bytes of the file binutils/objdump.c. The manipulation of the argument buf leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 2.44 is able to address this issue. The identifier of the patch is baac6c221e9d69335bf41366a1c7d87d8ab2f893. It is recommended to upgrade the affected component.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0840
• https://sourceware.org/bugzilla/attachment.cgi?id=15882
• https://sourceware.org/bugzilla/show_bug.cgi?id=32560
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=baac6c221e9d69335bf41366a1c7d87d8ab2f893
• https://vuldb.com/?ctiid.293997
• https://vuldb.com/?id.293997
• https://vuldb.com/?submit.485255
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Heap-based Buffer Overflow in function bfd_getl32 in Binutils objdump 3.37.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-46174
• https://sourceware.org/bugzilla/show_bug.cgi?id=28753

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

There is no fixed version for Ubuntu:20.04 expat.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-8176
• https://access.redhat.com/security/cve/CVE-2024-8176
• https://bugzilla.redhat.com/show_bug.cgi?id=2310137
• https://github.com/libexpat/libexpat/issues/893
• http://www.openwall.com/lists/oss-security/2025/03/15/1
• https://blog.hartwork.org/posts/expat-2-7-0-released/
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
• https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
• https://security-tracker.debian.org/tracker/CVE-2024-8176
• https://ubuntu.com/security/CVE-2024-8176
• https://security.netapp.com/advisory/ntap-20250328-0009/
• https://access.redhat.com/errata/RHSA-2025:3531
• https://access.redhat.com/errata/RHSA-2025:3734
• https://access.redhat.com/errata/RHSA-2025:3913
• https://access.redhat.com/errata/RHSA-2025:4048
• https://access.redhat.com/errata/RHSA-2025:4447
• https://access.redhat.com/errata/RHSA-2025:4446
• https://access.redhat.com/errata/RHSA-2025:4448
• https://access.redhat.com/errata/RHSA-2025:4449
• https://www.kb.cert.org/vuls/id/760160
• https://access.redhat.com/errata/RHSA-2025:7444
• https://access.redhat.com/errata/RHSA-2025:7512
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:13681
• http://seclists.org/fulldisclosure/2025/May/10
• http://seclists.org/fulldisclosure/2025/May/11
• http://seclists.org/fulldisclosure/2025/May/12
• http://seclists.org/fulldisclosure/2025/May/6
• http://seclists.org/fulldisclosure/2025/May/7
• http://seclists.org/fulldisclosure/2025/May/8
• http://www.openwall.com/lists/oss-security/2025/09/24/11
• https://access.redhat.com/errata/RHSA-2025:22033
• https://access.redhat.com/errata/RHSA-2025:22035
• https://access.redhat.com/errata/RHSA-2025:22034
• https://access.redhat.com/errata/RHSA-2025:22607
• https://access.redhat.com/errata/RHSA-2025:22785
• https://access.redhat.com/errata/RHSA-2025:22842
• https://access.redhat.com/errata/RHSA-2025:22871

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade Ubuntu:20.04 expat to version 2.2.9-1ubuntu0.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45490
• https://github.com/libexpat/libexpat/issues/887
• https://github.com/libexpat/libexpat/pull/890
• https://security.netapp.com/advisory/ntap-20241018-0004/
• http://seclists.org/fulldisclosure/2024/Dec/10
• http://seclists.org/fulldisclosure/2024/Dec/12
• http://seclists.org/fulldisclosure/2024/Dec/6
• http://seclists.org/fulldisclosure/2024/Dec/7
• http://seclists.org/fulldisclosure/2024/Dec/8
• https://lists.debian.org/debian-lts-announce/2024/09/msg00036.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Remediation

Upgrade Ubuntu:20.04 freetype to version 2.10.1-2ubuntu0.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2004
• https://access.redhat.com/security/cve/CVE-2023-2004
• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
• https://bugzilla.redhat.com/show_bug.cgi?id=2186428
• https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AOSGAOPXLBK4A5ZRTVZ4M6QKVLSWMWG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FEJZMAUB4XP44HSHEBDWEKFGA7DUHY42/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KDNGTGQAUZJ6YQDI2AVGYIFFPUMMZLKS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NGWWGQULJ7QRNP4GY57HE7OO7VMRWMPN/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJQI63HWZFL6M26Q6UOHKDY6LD2PFC5Z/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFZWDF43D73C5KWFF26GIIVZJKEFPS3K/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRSEIYMPWLVPGTC34N2Q3WAUHGGOWSWP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHHD6KNH4WLUE6JG6HRQZWNAJMHJ32X7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLO7BL2MHZYPY6O3OAEAQL3SKYMGGO6M/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ES2CDRHR2Y4WY6DNDIAPYZFXJU3ZBFAV/

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using git apply with --reject when applying patches from an untrusted source. Use git apply --stat to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the *.rej file exists.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-25652
• http://www.openwall.com/lists/oss-security/2023/04/25/2
• https://github.com/git/git/commit/18e2b1cfc80990719275d7b08e6e50f3e8cbc902
• https://github.com/git/git/commit/668f2d53613ac8fd373926ebe219f2c29112d93e
• https://github.com/git/git/security/advisories/GHSA-2hvf-7c8p-28fx
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BSXOGVVBJLYX26IAYX6PJSYQB36BREWH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI7FZ4NNR5S5J5K6AMVQBH2JFP6NE4L7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RKOXOAZ42HLXHXTW6JZI4L5DAIYDTYCU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YFZWGQKB6MM5MNF2DLFTD7KS2KWPICKL/
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git, a revision control system, is vulnerable to path traversal prior to versions 2.39.2, 2.38.4, 2.37.6, 2.36.5, 2.35.7, 2.34.7, 2.33.7, 2.32.6, 2.31.7, and 2.30.8. By feeding a crafted input to git apply, a path outside the working tree can be overwritten as the user who is running git apply. A fix has been prepared and will appear in v2.39.2, v2.38.4, v2.37.6, v2.36.5, v2.35.7, v2.34.7, v2.33.7, v2.32.6, v2.31.7, and v2.30.8. As a workaround, use git apply --stat to inspect a patch before applying; avoid applying one that creates a symbolic link and then creates a file beyond the symbolic link.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-23946
• https://github.com/git/git/commit/c867e4fa180bec4750e9b54eb10f459030dbebfd
• https://github.com/git/git/security/advisories/GHSA-r87m-v37r-cwfh
• https://security.gentoo.org/glsa/202312-15

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit b01b9b8 which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.14 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52006
• https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4x57-wc8g
• https://github.com/git/git/commit/b01b9b81d36759cdcd07305e78765199e1bc2060
• https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q
• https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp
• https://lists.debian.org/debian-lts-announce/2025/01/msg00025.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-0553
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://lists.debian.org/debian-lts-announce/2024/02/msg00010.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://security.netapp.com/advisory/ntap-20240202-0011/
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:0627
• https://access.redhat.com/errata/RHSA-2024:0796
• https://access.redhat.com/errata/RHSA-2024:1082
• https://access.redhat.com/errata/RHSA-2024:1108
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2024-0553
• https://bugzilla.redhat.com/show_bug.cgi?id=2258412
• https://gitlab.com/gnutls/gnutls/-/issues/1522
• https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

Remediation

Upgrade Ubuntu:20.04 heimdal to version 7.7.0+dfsg-1ubuntu1.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-45142
• https://security.gentoo.org/glsa/202310-06
• https://www.openwall.com/lists/oss-security/2023/02/08/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-37370
• https://security.netapp.com/advisory/ntap-20241108-0007/
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-36222
• https://github.com/krb5/krb5/commit/fc98f520caefff2e5ee9a0026fdf5109944b3562
• https://www.debian.org/security/2021/dsa-4944
• https://github.com/krb5/krb5/releases
• https://web.mit.edu/kerberos/advisories/
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://security.netapp.com/advisory/ntap-20211022-0003/
• https://security.netapp.com/advisory/ntap-20211104-0007/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.

Remediation

There is no fixed version for Ubuntu:20.04 libssh.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-3731
• https://gitlab.com/libssh/libssh-mirror/-/commit/855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60
• https://vuldb.com/?ctiid.349709
• https://vuldb.com/?id.349709
• https://vuldb.com/?submit.767120
• https://www.libssh.org/files/0.12/libssh-0.12.0.tar.xz
• https://www.libssh.org/security/advisories/libssh-2026-sftp-extensions.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream libx11 package and not the libx11 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in libX11. The security flaw occurs because the functions in src/InitExt.c in libX11 do not check that the values provided for the Request, Event, or Error IDs are within the bounds of the arrays that those functions write to, using those IDs as array indexes. They trust that they were called with values provided by an Xserver adhering to the bounds specified in the X11 protocol, as all X servers provided by X.Org do. As the protocol only specifies a single byte for these values, an out-of-bounds value provided by a malicious server (or a malicious proxy-in-the-middle) can only overwrite other portions of the Display structure and not write outside the bounds of the Display structure itself, possibly causing the client to crash with this memory corruption.

Remediation

Upgrade Ubuntu:20.04 libx11 to version 2:1.6.9-2ubuntu1.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-3138
• https://access.redhat.com/security/cve/CVE-2023-3138
• https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c
• https://lists.x.org/archives/xorg-announce/2023-June/003406.html
• https://lists.x.org/archives/xorg-announce/2023-June/003407.html
• https://security.netapp.com/advisory/ntap-20231208-0008/

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.

Remediation

Upgrade Ubuntu:20.04 nghttp2 to version 1.40.0-1ubuntu0.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-11080
• https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
• https://www.debian.org/security/2020/dsa-4696
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/
• https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
• https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AAC2AA36OTRHKSVM5OV7TTVB3CZIGEFL/
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade Ubuntu:20.04 openssl to version 1.1.1f-1ubuntu2.17 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-4450
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=63bcf189be73a9cc1264059bed6f57974be74a83
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bbcf509bd046b34cca19c766bbddc31683d0858b
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
• https://security.gentoo.org/glsa/202402-08
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade Ubuntu:20.04 openssl to version 1.1.1f-1ubuntu2.17 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-0215
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9816136fe31d92ace4037d5da5257f763aeeb4eb
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c3829dd8825c654652201e16f8a0a0c46ee3f344
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20230427-0007/
• https://security.netapp.com/advisory/ntap-20230427-0009/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-0361
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/
• https://access.redhat.com/security/cve/CVE-2023-0361
• https://github.com/tlsfuzzer/tlsfuzzer/pull/679
• https://gitlab.com/gnutls/gnutls/-/issues/1050
• https://lists.debian.org/debian-lts-announce/2023/02/msg00015.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFIA3X4IZ3CW7SRQ2UHNHNPMRIAWF2FI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WS4KVDOG6QTALWHC2QE4Y7VPDRMLTRWQ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z634YBXAJ5VLDI62IOPBVP5K6YFHAWCY/
• https://security.netapp.com/advisory/ntap-20230324-0005/
• https://security.netapp.com/advisory/ntap-20230725-0005/

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade Ubuntu:20.04 sqlite3 to version 3.31.1-4ubuntu0.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-7104
• https://lists.debian.org/debian-lts-announce/2024/09/msg00050.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYONA2XSNFMXLAW4IHLFI5UVV3QRNG5K/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D6C2HN4T2S6GYNTAUXLH45LQZHK7QPHP/
• https://security.netapp.com/advisory/ntap-20240112-0008/
• https://sqlite.org/forum/forumpost/5bcbf4571c
• https://sqlite.org/src/info/0e4e7a05c4204b47
• https://vuldb.com/?ctiid.248999
• https://vuldb.com/?id.248999

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An out-of-bounds read flaw was found in the parse_module function in bfd/vms-alpha.c in Binutils.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-25584
• https://access.redhat.com/security/cve/CVE-2023-25584
• https://bugzilla.redhat.com/show_bug.cgi?id=2167467
• https://security.netapp.com/advisory/ntap-20231103-0002/
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=77c225bdeb410cf60da804879ad41622f5f1aa44

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the objects/ directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's objects/ directory. When cloning a repository over the filesystem (without explicitly specifying the file:// protocol or --no-local), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.

Remediation

Upgrade Ubuntu:20.04 git to version 1:2.25.1-1ubuntu3.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-32021
• http://www.openwall.com/lists/oss-security/2024/05/14/2
• https://github.com/git/git/security/advisories/GHSA-mvxm-9j2h-qjx7
• https://lists.debian.org/debian-lts-announce/2024/06/msg00018.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00009.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S4CK4IYTXEOBZTEM5K3T6LWOIZ3S44AR/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng1.6 package and not the libpng1.6 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade Ubuntu:20.04 libpng1.6 to version 1.6.37-2ubuntu0.1~esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2026-22695
• https://github.com/pnggroup/libpng/commit/218612ddd6b17944e21eda56caf8b4bf7779d1ea
• https://github.com/pnggroup/libpng/commit/e4f7ad4ea2
• https://github.com/pnggroup/libpng/issues/778
• https://github.com/pnggroup/libpng/security/advisories/GHSA-mmq5-27w3-rxpp

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Remediation

Upgrade Ubuntu:20.04 openssh to version 1:8.2p1-4ubuntu0.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-26465
• https://access.redhat.com/security/cve/CVE-2025-26465
• https://bugzilla.redhat.com/show_bug.cgi?id=2344780
• https://blog.qualys.com/vulnerabilities-threat-research/2025/02/18/qualys-tru-discovers-two-vulnerabilities-in-openssh-cve-2025-26465-cve-2025-26466
• https://bugzilla.suse.com/show_bug.cgi?id=1237040
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/008_ssh.patch.sig
• https://lists.debian.org/debian-lts-announce/2025/02/msg00020.html
• https://lists.mindrot.org/pipermail/openssh-unix-announce/2025-February/000161.html
• https://security-tracker.debian.org/tracker/CVE-2025-26465
• https://security.netapp.com/advisory/ntap-20250228-0003/
• https://ubuntu.com/security/CVE-2025-26465
• https://www.openssh.com/releasenotes.html#9.9p2
• https://www.openwall.com/lists/oss-security/2025/02/18/1
• https://www.openwall.com/lists/oss-security/2025/02/18/4
• https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/
• https://www.vicarius.io/vsociety/posts/cve-2025-26465-detect-vulnerable-openssh
• https://www.vicarius.io/vsociety/posts/cve-2025-26465-mitigate-vulnerable-openssh
• https://access.redhat.com/errata/RHSA-2025:3837
• https://access.redhat.com/errata/RHSA-2025:6993
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:16823
• https://access.redhat.com/solutions/7109879
• http://seclists.org/fulldisclosure/2025/May/7
• http://seclists.org/fulldisclosure/2025/May/8
• http://seclists.org/fulldisclosure/2025/Feb/18
• https://seclists.org/oss-sec/2025/q1/144

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Remediation

Upgrade Ubuntu:20.04 curl to version 7.68.0-1ubuntu2.16 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-23916
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/
• https://hackerone.com/reports/1826048
• https://lists.debian.org/debian-lts-announce/2023/02/msg00035.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQKE6TXYDHOTFHLTBZ5X73GTKI7II5KO/
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230309-0006/
• https://www.debian.org/security/2023/dsa-5365

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade Ubuntu:20.04 curl to version 7.68.0-1ubuntu2.21 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-46218
• https://curl.se/docs/CVE-2023-46218.html
• https://hackerone.com/reports/2212193
• https://lists.debian.org/debian-lts-announce/2023/12/msg00015.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ZX3VW67N4ACRAPMV2QS2LVYGD7H2MVE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOGXU25FMMT2X6UUITQ7EZZYMJ42YWWD/
• https://security.netapp.com/advisory/ntap-20240125-0007/
• https://www.debian.org/security/2023/dsa-5587

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen() getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

Remediation

Upgrade Ubuntu:20.04 curl to version 7.68.0-1ubuntu2.23 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-7264
• https://curl.se/docs/CVE-2024-7264.html
• https://curl.se/docs/CVE-2024-7264.json
• https://hackerone.com/reports/2629968
• https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519
• https://security.netapp.com/advisory/ntap-20240828-0008/
• http://www.openwall.com/lists/oss-security/2024/07/31/1
• https://security.netapp.com/advisory/ntap-20241025-0006/
• https://security.netapp.com/advisory/ntap-20241025-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6395
• https://access.redhat.com/security/cve/CVE-2025-6395
• https://bugzilla.redhat.com/show_bug.cgi?id=2376755
• https://access.redhat.com/errata/RHSA-2025:16115
• https://access.redhat.com/errata/RHSA-2025:16116
• https://access.redhat.com/errata/RHSA-2025:17348
• https://access.redhat.com/errata/RHSA-2025:17361
• https://access.redhat.com/errata/RHSA-2025:17415
• https://access.redhat.com/errata/RHSA-2025:19088
• https://lists.debian.org/debian-lts-announce/2025/08/msg00005.html
• http://www.openwall.com/lists/oss-security/2025/07/11/3
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:22529

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-36054
• https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
• https://github.com/krb5/krb5/compare/krb5-1.20.1-final...krb5-1.20.2-final
• https://github.com/krb5/krb5/compare/krb5-1.21-final...krb5-1.21.1-final
• https://lists.debian.org/debian-lts-announce/2023/10/msg00031.html
• https://security.netapp.com/advisory/ntap-20230908-0004/
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-37750
• https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49
• https://security.netapp.com/advisory/ntap-20210923-0002/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MFCLW7D46E4VCREKKH453T5DA4XOLHU2/
• https://github.com/krb5/krb5/releases
• https://web.mit.edu/kerberos/advisories/
• https://lists.debian.org/debian-lts-announce/2021/09/msg00019.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MFCLW7D46E4VCREKKH453T5DA4XOLHU2/
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.starwindsoftware.com/security/sw-20220817-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in thepki_verify_data_signature function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value rc, which is initialized to SSH_ERROR and later rewritten to save the return value of the function call pki_key_check_hash_compatible. The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls goto error returning SSH_OK.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2283
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27PD44ALQTZXX7K6JAM3BXBUHYA6DFFN/
• http://packetstormsecurity.com/files/172861/libssh-0.9.6-0.10.4-pki_verify_data_signature-Authorization-Bypass.html
• http://seclists.org/fulldisclosure/2025/Feb/18
• https://access.redhat.com/security/cve/CVE-2023-2283
• https://bugzilla.redhat.com/show_bug.cgi?id=2189736
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27PD44ALQTZXX7K6JAM3BXBUHYA6DFFN/
• https://security.gentoo.org/glsa/202312-05
• https://security.netapp.com/advisory/ntap-20240201-0005/
• https://www.libssh.org/security/advisories/CVE-2023-2283.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-1667
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27PD44ALQTZXX7K6JAM3BXBUHYA6DFFN/
• http://www.libssh.org/security/advisories/CVE-2023-1667.txt
• https://access.redhat.com/security/cve/CVE-2023-1667
• https://bugzilla.redhat.com/show_bug.cgi?id=2182199
• https://lists.debian.org/debian-lts-announce/2023/05/msg00029.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27PD44ALQTZXX7K6JAM3BXBUHYA6DFFN/
• https://security.gentoo.org/glsa/202312-05

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Remediation

Upgrade Ubuntu:20.04 openssh to version 1:8.2p1-4ubuntu0.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-51385
• http://www.openwall.com/lists/oss-security/2025/10/07/1
• http://www.openwall.com/lists/oss-security/2025/10/12/1
• http://seclists.org/fulldisclosure/2024/Mar/21
• http://www.openwall.com/lists/oss-security/2023/12/26/4
• https://github.com/openssh/openssh-portable/commit/7ef3787c84b6b524501211b11a26c742f829af1a
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
• https://security.gentoo.org/glsa/202312-17
• https://security.netapp.com/advisory/ntap-20240105-0005/
• https://support.apple.com/kb/HT214084
• https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html
• https://www.debian.org/security/2023/dsa-5586
• https://www.openssh.com/txt/release-9.6
• https://www.openwall.com/lists/oss-security/2023/12/18/2
• https://github.com/vin01/poc-proxycommand-vulnerable

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

Remediation

Upgrade Ubuntu:20.04 openssl to version 1.1.1f-1ubuntu2.19 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-2650
• http://www.openwall.com/lists/oss-security/2023/05/30/1
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=423a2bc737a908ad0c77bda470b2b59dc879936b
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=853c5e56ee0b8650c73140816bb8b91d6163422c
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9e209944b35cf82368071f160a744b6178f9b098
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db779b0e10b047f2585615e0b8f2acdf21f8544a
• https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009
• https://security.gentoo.org/glsa/202402-08
• https://security.netapp.com/advisory/ntap-20230703-0001/
• https://security.netapp.com/advisory/ntap-20231027-0009/
• https://www.debian.org/security/2023/dsa-5417
• https://www.openssl.org/news/secadv/20230530.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:20.04 wget.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Remediation

Upgrade Ubuntu:20.04 curl to version 7.68.0-1ubuntu2.18 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-27535
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/
• https://hackerone.com/reports/1892780
• https://lists.debian.org/debian-lts-announce/2023/04/msg00025.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36NBD5YLJXXEDZLDGNFCERWRYJQ6LAQW/
• https://security.gentoo.org/glsa/202310-12
• https://security.netapp.com/advisory/ntap-20230420-0010/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-5981
• http://www.openwall.com/lists/oss-security/2024/01/19/3
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZEIOLORQ7N6WRPFXZSYDL2MC4LP7VFV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXKVR5YNUEBNHAHM5GSYKBZX4W2HMN2/
• https://lists.debian.org/debian-lts-announce/2023/11/msg00016.html
• https://access.redhat.com/errata/RHSA-2024:0155
• https://access.redhat.com/errata/RHSA-2024:0319
• https://access.redhat.com/errata/RHSA-2024:0399
• https://access.redhat.com/errata/RHSA-2024:0451
• https://access.redhat.com/errata/RHSA-2024:0533
• https://access.redhat.com/errata/RHSA-2024:1383
• https://access.redhat.com/errata/RHSA-2024:2094
• https://access.redhat.com/security/cve/CVE-2023-5981
• https://bugzilla.redhat.com/show_bug.cgi?id=2248445
• https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Remediation

Upgrade Ubuntu:20.04 krb5 to version 1.17-6ubuntu4.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-3576
• https://access.redhat.com/security/cve/CVE-2025-3576
• https://bugzilla.redhat.com/show_bug.cgi?id=2359465
• https://lists.debian.org/debian-lts-announce/2025/05/msg00047.html
• https://access.redhat.com/errata/RHSA-2025:8411
• https://access.redhat.com/errata/RHSA-2025:9418
• https://access.redhat.com/errata/RHSA-2025:9430
• https://access.redhat.com/errata/RHSA-2025:11487
• https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.html
• https://access.redhat.com/errata/RHSA-2025:13664
• https://access.redhat.com/errata/RHSA-2025:13777
• https://access.redhat.com/errata/RHSA-2025:15000
• https://access.redhat.com/errata/RHSA-2025:15002
• https://access.redhat.com/errata/RHSA-2025:15004
• https://access.redhat.com/errata/RHSA-2025:15001
• https://access.redhat.com/errata/RHSA-2025:15003

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Remediation

Upgrade Ubuntu:20.04 libssh to version 0.9.3-2ubuntu2.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-48795
• https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit
• https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability
• https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
• http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html
• http://seclists.org/fulldisclosure/2024/Mar/21
• http://www.openwall.com/lists/oss-security/2023/12/18/3
• http://www.openwall.com/lists/oss-security/2023/12/19/5
• http://www.openwall.com/lists/oss-security/2023/12/20/3
• http://www.openwall.com/lists/oss-security/2024/03/06/3
• http://www.openwall.com/lists/oss-security/2024/04/17/8
• https://access.redhat.com/security/cve/cve-2023-48795
• https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
• https://bugs.gentoo.org/920280
• https://bugzilla.redhat.com/show_bug.cgi?id=2254210
• https://bugzilla.suse.com/show_bug.cgi?id=1217950
• https://crates.io/crates/thrussh/versions
• https://filezilla-project.org/versions.php
• https://forum.netgate.com/topic/184941/terrapin-ssh-attack
• https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6
• https://github.com/NixOS/nixpkgs/pull/275249
• https://github.com/PowerShell/Win32-OpenSSH/issues/2189
• https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta
• https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0
• https://github.com/TeraTermProject/teraterm/releases/tag/v5.1
• https://github.com/advisories/GHSA-45x7-px36-x8w8
• https://github.com/apache/mina-sshd/issues/445
• https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab
• https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22
• https://github.com/cyd01/KiTTY/issues/520
• https://github.com/drakkan/sftpgo/releases/tag/v2.5.6
• https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42
• https://github.com/erlang/otp/releases/tag/OTP-26.2.1
• https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
• https://github.com/hierynomus/sshj/issues/916
• https://github.com/janmojzis/tinyssh/issues/81
• https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5
• https://github.com/libssh2/libssh2/pull/1291
• https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
• https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3
• https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15
• https://github.com/mwiede/jsch/issues/457
• https://github.com/mwiede/jsch/pull/461
• https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16
• https://github.com/openssh/openssh-portable/commits/master
• https://github.com/paramiko/paramiko/issues/2337
• https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES
• https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES
• https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES
• https://github.com/proftpd/proftpd/issues/456
• https://github.com/rapier1/hpn-ssh/releases
• https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst
• https://github.com/ronf/asyncssh/tags
• https://github.com/ssh-mitm/ssh-mitm/issues/165
• https://github.com/warp-tech/russh/releases/tag/v0.40.2
• https://gitlab.com/libssh/libssh-mirror/-/tags
• https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
• https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
• https://help.panic.com/releasenotes/transmit5/
• https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
• https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html
• https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html
• https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/
• https://matt.ucc.asn.au/dropbear/CHANGES
• https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC
• https://news.ycombinator.com/item?id=38684904
• https://news.ycombinator.com/item?id=38685286
• https://news.ycombinator.com/item?id=38732005
• https://nova.app/releases/#v11.8
• https://oryx-embedded.com/download/#changelog
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002
• https://roumenpetrov.info/secsh/#news20231220
• https://security-tracker.debian.org/tracker/CVE-2023-48795
• https://security-tracker.debian.org/tracker/source-package/libssh2
• https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg
• https://security-tracker.debian.org/tracker/source-package/trilead-ssh2
• https://security.gentoo.org/glsa/202312-16
• https://security.gentoo.org/glsa/202312-17
• https://security.netapp.com/advisory/ntap-20240105-0004/
• https://support.apple.com/kb/HT214084
• https://thorntech.com/cve-2023-48795-and-sftp-gateway/
• https://twitter.com/TrueSkrillor/status/1736774389725565005
• https://ubuntu.com/security/CVE-2023-48795
• https://winscp.net/eng/docs/history#6.2.2
• https://www.bitvise.com/ssh-client-version-history#933
• https://www.bitvise.com/ssh-server-version-history
• https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
• https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
• https://www.debian.org/security/2023/dsa-5586
• https://www.debian.org/security/2023/dsa-5588
• https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc
• https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508
• https://www.netsarang.com/en/xshell-update-history/
• https://www.openssh.com/openbsd.html
• https://www.openssh.com/txt/release-9.6
• https://www.openwall.com/lists/oss-security/2023/12/18/2
• https://www.openwall.com/lists/oss-security/2023/12/20/3
• https://www.paramiko.org/changelog.html
• https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/
• https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/
• https://www.terrapin-attack.com
• https://www.theregister.com/2023/12/20/terrapin_attack_ssh
• https://www.vandyke.com/products/securecrt/history.txt
• https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2023/CVE-2023-48795.yaml
• https://github.com/TrixSec/CVE-2023-48795

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Remediation

Upgrade Ubuntu:20.04 openssh to version 1:8.2p1-4ubuntu0.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-48795
• https://www.vicarius.io/vsociety/posts/cve-2023-48795-detect-openssh-vulnerabilit
• https://www.vicarius.io/vsociety/posts/cve-2023-48795-mitigate-openssh-vulnerability
• https://lists.debian.org/debian-lts-announce/2025/04/msg00028.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00042.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00032.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
• http://packetstormsecurity.com/files/176280/Terrapin-SSH-Connection-Weakening.html
• http://seclists.org/fulldisclosure/2024/Mar/21
• http://www.openwall.com/lists/oss-security/2023/12/18/3
• http://www.openwall.com/lists/oss-security/2023/12/19/5
• http://www.openwall.com/lists/oss-security/2023/12/20/3
• http://www.openwall.com/lists/oss-security/2024/03/06/3
• http://www.openwall.com/lists/oss-security/2024/04/17/8
• https://access.redhat.com/security/cve/cve-2023-48795
• https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
• https://bugs.gentoo.org/920280
• https://bugzilla.redhat.com/show_bug.cgi?id=2254210
• https://bugzilla.suse.com/show_bug.cgi?id=1217950
• https://crates.io/crates/thrussh/versions
• https://filezilla-project.org/versions.php
• https://forum.netgate.com/topic/184941/terrapin-ssh-attack
• https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.10&id=10e09e273f69e149389b3e0e5d44b8c221c2e7f6
• https://github.com/NixOS/nixpkgs/pull/275249
• https://github.com/PowerShell/Win32-OpenSSH/issues/2189
• https://github.com/PowerShell/Win32-OpenSSH/releases/tag/v9.5.0.0p1-Beta
• https://github.com/TeraTermProject/teraterm/commit/7279fbd6ef4d0c8bdd6a90af4ada2899d786eec0
• https://github.com/TeraTermProject/teraterm/releases/tag/v5.1
• https://github.com/advisories/GHSA-45x7-px36-x8w8
• https://github.com/apache/mina-sshd/issues/445
• https://github.com/connectbot/sshlib/commit/5c8b534f6e97db7ac0e0e579331213aa25c173ab
• https://github.com/connectbot/sshlib/compare/2.2.21...2.2.22
• https://github.com/cyd01/KiTTY/issues/520
• https://github.com/drakkan/sftpgo/releases/tag/v2.5.6
• https://github.com/erlang/otp/blob/d1b43dc0f1361d2ad67601169e90a7fc50bb0369/lib/ssh/doc/src/notes.xml#L39-L42
• https://github.com/erlang/otp/releases/tag/OTP-26.2.1
• https://github.com/golang/crypto/commit/9d2ee975ef9fe627bf0a6f01c1f69e8ef1d4f05d
• https://github.com/hierynomus/sshj/issues/916
• https://github.com/janmojzis/tinyssh/issues/81
• https://github.com/jtesta/ssh-audit/commit/8e972c5e94b460379fe0c7d20209c16df81538a5
• https://github.com/libssh2/libssh2/pull/1291
• https://github.com/mkj/dropbear/blob/17657c36cce6df7716d5ff151ec09a665382d5dd/CHANGES#L25
• https://github.com/mscdex/ssh2/commit/97b223f8891b96d6fc054df5ab1d5a1a545da2a3
• https://github.com/mwiede/jsch/compare/jsch-0.2.14...jsch-0.2.15
• https://github.com/mwiede/jsch/issues/457
• https://github.com/mwiede/jsch/pull/461
• https://github.com/net-ssh/net-ssh/blob/2e65064a52d73396bfc3806c9196fc8108f33cd8/CHANGES.txt#L14-L16
• https://github.com/openssh/openssh-portable/commits/master
• https://github.com/paramiko/paramiko/issues/2337
• https://github.com/proftpd/proftpd/blob/0a7ea9b0ba9fcdf368374a226370d08f10397d99/RELEASE_NOTES
• https://github.com/proftpd/proftpd/blob/d21e7a2e47e9b38f709bec58e3fa711f759ad0e1/RELEASE_NOTES
• https://github.com/proftpd/proftpd/blob/master/RELEASE_NOTES
• https://github.com/proftpd/proftpd/issues/456
• https://github.com/rapier1/hpn-ssh/releases
• https://github.com/ronf/asyncssh/blob/develop/docs/changes.rst
• https://github.com/ronf/asyncssh/tags
• https://github.com/ssh-mitm/ssh-mitm/issues/165
• https://github.com/warp-tech/russh/releases/tag/v0.40.2
• https://gitlab.com/libssh/libssh-mirror/-/tags
• https://groups.google.com/g/golang-announce/c/-n5WqVC18LQ
• https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg
• https://help.panic.com/releasenotes/transmit5/
• https://jadaptive.com/important-java-ssh-security-update-new-ssh-vulnerability-discovered-cve-2023-48795/
• https://lists.debian.org/debian-lts-announce/2023/12/msg00017.html
• https://lists.debian.org/debian-lts-announce/2024/01/msg00013.html
• https://lists.debian.org/debian-lts-announce/2024/01/msg00014.html
• https://lists.debian.org/debian-lts-announce/2024/04/msg00016.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CAYYW35MUTNO65RVAELICTNZZFMT2XS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3JIMLVBDWOP4FUPXPTB4PGHHIOMGFLQE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3YQLUQWLIHDB5QCXQEX7HXHAWMOKPP5O/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6Y74KVCPEPT4MVU3LHDWCNNOXOE5ZLUR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APYIXIQOVDCRWLHTGB4VYMAUIAQLKYJ3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BL5KTLOSLH2KHRN4HCXJPK3JUVLDGEL6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3AFMZ6MH2UHHOPIWT5YLSFV3D2VB3AC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7EYCFQCTSGJXWO3ZZ44MGKFC5HA7G3Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I724O3LSRCPO4WNVIXTZCT4VVRMXMMSG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KMZCVGUGJZZVDPCVDA7TEB22VUCNEXDD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L5Y6MNNVAPIJSXJERQ6PKZVCIUXSNJK7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZQVUHWVWRH73YBXUQJOD6CKHDQBU3DM/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MKQRBF3DWMWPH36LBCOBUTSIZRTPEZXB/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QI3EHAHABFQK7OABNCSF5GMYP6TONTI7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33XHJUB6ROFUOH2OQNENFROTVH6MHSHA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HYEDEXIKFKTUJIN43RG4B7T5ZS6MHUSP/
• https://matt.ucc.asn.au/dropbear/CHANGES
• https://nest.pijul.com/pijul/thrussh/changes/D6H7OWTTMHHX6BTB3B6MNBOBX2L66CBL4LGSEUSAI2MCRCJDQFRQC
• https://news.ycombinator.com/item?id=38684904
• https://news.ycombinator.com/item?id=38685286
• https://news.ycombinator.com/item?id=38732005
• https://nova.app/releases/#v11.8
• https://oryx-embedded.com/download/#changelog
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0002
• https://roumenpetrov.info/secsh/#news20231220
• https://security-tracker.debian.org/tracker/CVE-2023-48795
• https://security-tracker.debian.org/tracker/source-package/libssh2
• https://security-tracker.debian.org/tracker/source-package/proftpd-dfsg
• https://security-tracker.debian.org/tracker/source-package/trilead-ssh2
• https://security.gentoo.org/glsa/202312-16
• https://security.gentoo.org/glsa/202312-17
• https://security.netapp.com/advisory/ntap-20240105-0004/
• https://support.apple.com/kb/HT214084
• https://thorntech.com/cve-2023-48795-and-sftp-gateway/
• https://twitter.com/TrueSkrillor/status/1736774389725565005
• https://ubuntu.com/security/CVE-2023-48795
• https://winscp.net/eng/docs/history#6.2.2
• https://www.bitvise.com/ssh-client-version-history#933
• https://www.bitvise.com/ssh-server-version-history
• https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html
• https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
• https://www.debian.org/security/2023/dsa-5586
• https://www.debian.org/security/2023/dsa-5588
• https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc
• https://www.lancom-systems.de/service-support/allgemeine-sicherheitshinweise#c243508
• https://www.netsarang.com/en/xshell-update-history/
• https://www.openssh.com/openbsd.html
• https://www.openssh.com/txt/release-9.6
• https://www.openwall.com/lists/oss-security/2023/12/18/2
• https://www.openwall.com/lists/oss-security/2023/12/20/3
• https://www.paramiko.org/changelog.html
• https://www.reddit.com/r/sysadmin/comments/18idv52/cve202348795_why_is_this_cve_still_undisclosed/
• https://www.suse.com/c/suse-addresses-the-ssh-v2-protocol-terrapin-attack-aka-cve-2023-48795/
• https://www.terrapin-attack.com
• https://www.theregister.com/2023/12/20/terrapin_attack_ssh
• https://www.vandyke.com/products/securecrt/history.txt
• https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2023/CVE-2023-48795.yaml
• https://github.com/TrixSec/CVE-2023-48795

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Remediation

Upgrade Ubuntu:20.04 openssl to version 1.1.1f-1ubuntu2.17 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-4304
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
• https://security.gentoo.org/glsa/202402-08
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered function make_tempdir, and make_tempname in bucomm.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47008
• https://sourceware.org/bugzilla/show_bug.cgi?id=29255%20

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered function stab_demangle_v3_arg in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47007
• https://sourceware.org/bugzilla/show_bug.cgi?id=29254

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered function parse_stab_struct_fields in stabs.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47011
• https://sourceware.org/bugzilla/show_bug.cgi?id=29261

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

An issue was discovered function pr_function_type in prdbg.c in Binutils 2.34 thru 2.38, allows attackers to cause a denial of service due to memory leaks.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-47010
• https://sourceware.org/bugzilla/show_bug.cgi?id=29262

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GNU Binutils before 2.40 was discovered to contain a memory leak vulnerability var the function find_abstract_instance in dwarf2.c.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-48065
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d28fbc7197ba0e021a43f873eff90b05dcdcff6a
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLZXZXFX2ZWTDU2QZUSZG36LZZVTKUVG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLZXZXFX2ZWTDU2QZUSZG36LZZVTKUVG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KGSKF4GH7425S6XFDQMWTJGD5U47BAZN/
• https://security.netapp.com/advisory/ntap-20231006-0008/
• https://sourceware.org/bugzilla/show_bug.cgi?id=29925
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=d28fbc7197ba0e021a43f873eff90b05dcdcff6a

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-3198
• https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d
• https://vuldb.com/?ctiid.303151
• https://vuldb.com/?id.303151
• https://vuldb.com/?submit.545773
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=32716

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.

Remediation

There is no fixed version for Ubuntu:20.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11495
• https://sourceware.org/bugzilla/attachment.cgi?id=16393
• https://sourceware.org/bugzilla/show_bug.cgi?id=33502
• https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0
• https://vuldb.com/?ctiid.327620
• https://vuldb.com/?id.327620
• https://vuldb.com/?submit.668290
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11494
• https://sourceware.org/bugzilla/attachment.cgi?id=16389
• https://sourceware.org/bugzilla/show_bug.cgi?id=33499
• https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a
• https://vuldb.com/?ctiid.327619
• https://vuldb.com/?id.327619
• https://vuldb.com/?submit.668281
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11412
• https://sourceware.org/bugzilla/attachment.cgi?id=16378
• https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc
• https://vuldb.com/?ctiid.327348
• https://vuldb.com/?id.327348
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33452

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11414
• https://sourceware.org/bugzilla/attachment.cgi?id=16361
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703
• https://vuldb.com/?ctiid.327350
• https://vuldb.com/?id.327350
• https://vuldb.com/?submit.665591
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33450

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.

Remediation

Upgrade Ubuntu:20.04 binutils to version 2.34-6ubuntu1.11+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11413
• https://sourceware.org/bugzilla/attachment.cgi?id=16362
• https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0
• https://vuldb.com/?ctiid.327349
• https://vuldb.com/?id.327349
• https://vuldb.com/?submit.665587
• https://www.gnu.org/
• https://vuldb.com/?submit.665590
• https://sourceware.org/bugzilla/show_bug.cgi?id=33452