NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Remediation

Upgrade Ubuntu:22.04 libxml2 to version 2.9.13+dfsg-1ubuntu0.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-49794
• https://access.redhat.com/security/cve/CVE-2025-49794
• https://bugzilla.redhat.com/show_bug.cgi?id=2372373
• https://access.redhat.com/errata/RHSA-2025:10630
• https://access.redhat.com/errata/RHSA-2025:10698
• https://access.redhat.com/errata/RHSA-2025:10699
• https://access.redhat.com/errata/RHSA-2025:11580
• https://access.redhat.com/errata/RHSA-2025:12098
• https://access.redhat.com/errata/RHSA-2025:12099
• https://access.redhat.com/errata/RHSA-2025:12199
• https://access.redhat.com/errata/RHSA-2025:12239
• https://access.redhat.com/errata/RHSA-2025:12240
• https://access.redhat.com/errata/RHSA-2025:12241
• https://access.redhat.com/errata/RHSA-2025:12237
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:18219
• https://access.redhat.com/errata/RHSA-2025:15397
• https://access.redhat.com/errata/RHSA-2025:18218
• https://access.redhat.com/errata/RHSA-2025:18217
• https://access.redhat.com/errata/RHSA-2025:18240
• https://access.redhat.com/errata/RHSA-2025:19020
• https://access.redhat.com/errata/RHSA-2025:19046
• https://access.redhat.com/errata/RHSA-2025:19041
• https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html
• https://access.redhat.com/errata/RHSA-2025:19894
• https://access.redhat.com/errata/RHSA-2025:21913

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

Remediation

Upgrade Ubuntu:22.04 libxml2 to version 2.9.13+dfsg-1ubuntu0.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-49796
• https://access.redhat.com/security/cve/CVE-2025-49796
• https://bugzilla.redhat.com/show_bug.cgi?id=2372385
• https://access.redhat.com/errata/RHSA-2025:10630
• https://access.redhat.com/errata/RHSA-2025:10698
• https://access.redhat.com/errata/RHSA-2025:10699
• https://access.redhat.com/errata/RHSA-2025:11580
• https://access.redhat.com/errata/RHSA-2025:12098
• https://access.redhat.com/errata/RHSA-2025:12099
• https://access.redhat.com/errata/RHSA-2025:12199
• https://access.redhat.com/errata/RHSA-2025:12239
• https://access.redhat.com/errata/RHSA-2025:12240
• https://access.redhat.com/errata/RHSA-2025:12241
• https://access.redhat.com/errata/RHSA-2025:12237
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:18219
• https://access.redhat.com/errata/RHSA-2025:15397
• https://access.redhat.com/errata/RHSA-2025:18218
• https://access.redhat.com/errata/RHSA-2025:18217
• https://access.redhat.com/errata/RHSA-2025:18240
• https://access.redhat.com/errata/RHSA-2025:19020
• https://access.redhat.com/errata/RHSA-2025:19046
• https://access.redhat.com/errata/RHSA-2025:19041
• https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html
• https://access.redhat.com/errata/RHSA-2025:19894
• https://access.redhat.com/errata/RHSA-2025:21913

NVD Description

Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

Remediation

There is no fixed version for Ubuntu:22.04 git.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-52005
• https://github.com/git/git/security/advisories/GHSA-7jjc-gg6m-3329
• https://lore.kernel.org/git/1M9FnZ-1taoNo1wwh-00ESSd@mail.gmx.net

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils up to 2.44. It has been rated as critical. Affected by this issue is the function elf_gc_sweep of the file bfd/elflink.c of the component ld. The manipulation leads to memory corruption. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 2.45 is able to address this issue. It is recommended to upgrade the affected component.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5244
• https://sourceware.org/bugzilla/attachment.cgi?id=16010
• https://sourceware.org/bugzilla/show_bug.cgi?id=32858
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d1458933830456e54223d9fc61f0d9b3a19256f5
• https://vuldb.com/?ctiid.310346
• https://vuldb.com/?id.310346
• https://vuldb.com/?submit.584634
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability classified as critical has been found in GNU Binutils up to 2.44. This affects the function debug_type_samep of the file /binutils/debug.c of the component objdump. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5245
• https://sourceware.org/bugzilla/attachment.cgi?id=16004
• https://sourceware.org/bugzilla/show_bug.cgi?id=32829
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6c3458a8b7ee7d39f070c7b2350851cb2110c65a
• https://vuldb.com/?ctiid.310347
• https://vuldb.com/?id.310347
• https://vuldb.com/?submit.584635
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7545
• https://sourceware.org/bugzilla/attachment.cgi?id=16117
• https://sourceware.org/bugzilla/show_bug.cgi?id=33049
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944
• https://vuldb.com/?ctiid.316243
• https://vuldb.com/?id.316243
• https://vuldb.com/?submit.614355
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33049#c1

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability has been found in GNU Binutils 2.45. The affected element is the function elf_swap_shdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 9ca499644a21ceb3f946d1c179c38a83be084490. To fix this issue, it is recommended to deploy a patch. The code maintainer replied with "[f]ixed for 2.46".

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11083
• https://sourceware.org/bugzilla/attachment.cgi?id=16353
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=9ca499644a21ceb3f946d1c179c38a83be084490
• https://vuldb.com/?ctiid.326124
• https://vuldb.com/?id.326124
• https://vuldb.com/?submit.661277
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33457
• https://sourceware.org/bugzilla/show_bug.cgi?id=33457#c1

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw has been found in GNU Binutils 2.45. Impacted is the function _bfd_elf_parse_eh_frame of the file bfd/elf-eh-frame.c of the component Linker. Executing manipulation can lead to heap-based buffer overflow. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ea1a0737c7692737a644af0486b71e4a392cbca8. A patch should be applied to remediate this issue. The code maintainer replied with "[f]ixed for 2.46".

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11082
• https://sourceware.org/bugzilla/attachment.cgi?id=16358
• https://sourceware.org/bugzilla/show_bug.cgi?id=33464
• https://sourceware.org/bugzilla/show_bug.cgi?id=33464#c2
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ea1a0737c7692737a644af0486b71e4a392cbca8
• https://vuldb.com/?ctiid.326123
• https://vuldb.com/?id.326123
• https://vuldb.com/?submit.661276
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Remediation

Upgrade Ubuntu:22.04 libxml2 to version 2.9.13+dfsg-1ubuntu0.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-7425
• https://access.redhat.com/security/cve/CVE-2025-7425
• https://bugzilla.redhat.com/show_bug.cgi?id=2379274
• https://access.redhat.com/errata/RHSA-2025:12447
• https://access.redhat.com/errata/RHSA-2025:12450
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13313
• https://access.redhat.com/errata/RHSA-2025:13314
• https://access.redhat.com/errata/RHSA-2025:13308
• https://access.redhat.com/errata/RHSA-2025:13309
• https://access.redhat.com/errata/RHSA-2025:13310
• https://access.redhat.com/errata/RHSA-2025:13311
• https://access.redhat.com/errata/RHSA-2025:13312
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13464
• https://access.redhat.com/errata/RHSA-2025:13622
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://access.redhat.com/errata/RHSA-2025:14819
• https://access.redhat.com/errata/RHSA-2025:14818
• https://access.redhat.com/errata/RHSA-2025:14853
• https://access.redhat.com/errata/RHSA-2025:14858
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:15672
• https://access.redhat.com/errata/RHSA-2025:18219
• https://lists.debian.org/debian-lts-announce/2025/09/msg00035.html
• http://seclists.org/fulldisclosure/2025/Aug/0
• http://seclists.org/fulldisclosure/2025/Jul/30
• http://seclists.org/fulldisclosure/2025/Jul/32
• http://seclists.org/fulldisclosure/2025/Jul/35
• http://seclists.org/fulldisclosure/2025/Jul/37
• http://www.openwall.com/lists/oss-security/2025/07/11/2
• https://access.redhat.com/errata/RHSA-2025:21885
• https://access.redhat.com/errata/RHSA-2025:21913
• https://gitlab.gnome.org/GNOME/libxslt/-/issues/140

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:22.04 pam.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8941
• https://access.redhat.com/security/cve/CVE-2025-8941
• https://bugzilla.redhat.com/show_bug.cgi?id=2388220
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15100
• https://access.redhat.com/errata/RHSA-2025:15104
• https://access.redhat.com/errata/RHSA-2025:15107
• https://access.redhat.com/errata/RHSA-2025:15099
• https://access.redhat.com/errata/RHSA-2025:15101
• https://access.redhat.com/errata/RHSA-2025:15102
• https://access.redhat.com/errata/RHSA-2025:15103
• https://access.redhat.com/errata/RHSA-2025:15105
• https://access.redhat.com/errata/RHSA-2025:15106
• https://access.redhat.com/errata/RHSA-2025:15709
• https://access.redhat.com/errata/RHSA-2025:15828
• https://access.redhat.com/errata/RHSA-2025:15827
• https://access.redhat.com/errata/RHSA-2025:16524
• https://access.redhat.com/errata/RHSA-2025:18219
• https://access.redhat.com/errata/RHSA-2025:17181
• https://access.redhat.com/errata/RHSA-2025:21885

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-9287
• https://github.com/python/cpython/commit/633555735a023d3e4d92ba31da35b1205f9ecbd7
• https://github.com/python/cpython/commit/8450b2482586857d689b6658f08de9c8179af7db
• https://github.com/python/cpython/commit/9286ab3a107ea41bd3f3c3682ce2512692bdded8
• https://github.com/python/cpython/commit/ae961ae94bf19c8f8c7fbea3d1c25cc55ce8ae97
• https://github.com/python/cpython/commit/d48cc82ed25e26b02eb97c6263d95dcaa1e9111b
• https://github.com/python/cpython/commit/e52095a0c1005a87eed2276af7a1f2f66e2b6483
• https://github.com/python/cpython/issues/124651
• https://github.com/python/cpython/pull/124712
• https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
• https://security.netapp.com/advisory/ntap-20250425-0006/
• https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Remediation

Upgrade Ubuntu:22.04 glib2.0 to version 2.72.4-0ubuntu2.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-13601
• https://access.redhat.com/security/cve/CVE-2025-13601
• https://bugzilla.redhat.com/show_bug.cgi?id=2416741
• https://gitlab.gnome.org/GNOME/glib/-/issues/3827
• https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4914

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Remediation

Upgrade Ubuntu:22.04 libxml2 to version 2.9.13+dfsg-1ubuntu0.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6021
• https://access.redhat.com/errata/RHSA-2025:10630
• https://access.redhat.com/errata/RHSA-2025:10698
• https://access.redhat.com/errata/RHSA-2025:10699
• https://access.redhat.com/errata/RHSA-2025:11580
• https://access.redhat.com/errata/RHSA-2025:12098
• https://access.redhat.com/errata/RHSA-2025:12099
• https://access.redhat.com/errata/RHSA-2025:12199
• https://access.redhat.com/errata/RHSA-2025:12237
• https://access.redhat.com/errata/RHSA-2025:12239
• https://access.redhat.com/errata/RHSA-2025:12240
• https://access.redhat.com/errata/RHSA-2025:12241
• https://access.redhat.com/errata/RHSA-2025:13267
• https://access.redhat.com/errata/RHSA-2025:13289
• https://access.redhat.com/errata/RHSA-2025:13325
• https://access.redhat.com/errata/RHSA-2025:13335
• https://access.redhat.com/errata/RHSA-2025:13336
• https://access.redhat.com/errata/RHSA-2025:14059
• https://access.redhat.com/errata/RHSA-2025:14396
• https://access.redhat.com/errata/RHSA-2025:15308
• https://access.redhat.com/errata/RHSA-2025:15672
• https://access.redhat.com/security/cve/CVE-2025-6021
• https://bugzilla.redhat.com/show_bug.cgi?id=2372406
• https://gitlab.gnome.org/GNOME/libxml2/-/issues/926
• https://access.redhat.com/errata/RHSA-2025:19020
• https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html
• https://access.redhat.com/errata/RHSA-2025:11673

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-6232
• https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06
• https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4
• https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf
• https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373
• https://github.com/python/cpython/issues/121285
• https://github.com/python/cpython/pull/121286
• https://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/
• https://github.com/python/cpython/commit/34ddb64d088dd7ccc321f6103d23153256caa5d4
• https://github.com/python/cpython/commit/7d1f50cd92ff7e10a1c15a8f591dde8a6843a64d
• https://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877
• http://www.openwall.com/lists/oss-security/2024/09/03/5
• https://security.netapp.com/advisory/ntap-20241018-0007/
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-41105
• https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
• https://github.com/python/cpython/issues/106242
• https://github.com/python/cpython/pull/107981
• https://github.com/python/cpython/pull/107982
• https://github.com/python/cpython/pull/107983
• https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
• https://security.netapp.com/advisory/ntap-20231006-0015/

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Remediation

Upgrade Ubuntu:22.04 glib2.0 to version 2.72.4-0ubuntu2.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14512
• https://access.redhat.com/security/cve/CVE-2025-14512
• https://bugzilla.redhat.com/show_bug.cgi?id=2421339

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:22.04 wget.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2.0 package and not the glib2.0 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Remediation

Upgrade Ubuntu:22.04 glib2.0 to version 2.72.4-0ubuntu2.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-14087
• https://access.redhat.com/security/cve/CVE-2025-14087
• https://bugzilla.redhat.com/show_bug.cgi?id=2419093

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability has been found in GNU Binutils 2.43/2.44 and classified as problematic. Affected by this vulnerability is the function display_info of the file binutils/bucomm.c of the component objdump. The manipulation leads to memory leak. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named ba6ad3a18cb26b79e0e3b84c39f707535bbc344d. It is recommended to apply a patch to fix this issue.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-3198
• https://sourceware.org/bugzilla/show_bug.cgi?id=32716#c0
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ba6ad3a18cb26b79e0e3b84c39f707535bbc344d
• https://vuldb.com/?ctiid.303151
• https://vuldb.com/?id.303151
• https://vuldb.com/?submit.545773
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=32716

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was detected in GNU Binutils 2.45. This issue affects the function dump_dwarf_section of the file binutils/objdump.c. Performing manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit is now public and may be used. The patch is named f87a66db645caf8cc0e6fc87b0c28c78a38af59b. It is suggested to install a patch to address this issue.

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11081
• https://github.com/user-attachments/files/20623354/hdf5_crash_3.txt
• https://sourceware.org/bugzilla/show_bug.cgi?id=33406
• https://sourceware.org/bugzilla/show_bug.cgi?id=33406#c2
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f87a66db645caf8cc0e6fc87b0c28c78a38af59b
• https://vuldb.com/?ctiid.326122
• https://vuldb.com/?id.326122
• https://vuldb.com/?submit.661275
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was determined in GNU Binutils 2.45. The affected element is the function elf_x86_64_relocate_section of the file elf64-x86-64.c of the component Linker. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: 6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0. To fix this issue, it is recommended to deploy a patch.

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11495
• https://sourceware.org/bugzilla/attachment.cgi?id=16393
• https://sourceware.org/bugzilla/show_bug.cgi?id=33502
• https://sourceware.org/bugzilla/show_bug.cgi?id=33502#c3
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6b21c8b2ecfef5c95142cbc2c32f185cb1c26ab0
• https://vuldb.com/?ctiid.327620
• https://vuldb.com/?id.327620
• https://vuldb.com/?submit.668290
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils 2.45. Impacted is the function _bfd_x86_elf_late_size_sections of the file bfd/elfxx-x86.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. The patch is identified as b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a. A patch should be applied to remediate this issue.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11494
• https://sourceware.org/bugzilla/attachment.cgi?id=16389
• https://sourceware.org/bugzilla/show_bug.cgi?id=33499
• https://sourceware.org/bugzilla/show_bug.cgi?id=33499#c2
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b6ac5a8a5b82f0ae6a4642c8d7149b325f4cc60a
• https://vuldb.com/?ctiid.327619
• https://vuldb.com/?id.327619
• https://vuldb.com/?submit.668281
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A weakness has been identified in GNU Binutils 2.45. The affected element is the function vfinfo of the file ldmisc.c. Executing manipulation can lead to out-of-bounds read. The attack can only be executed locally. The exploit has been made available to the public and could be exploited. This patch is called 16357. It is best practice to apply a patch to resolve this issue.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11840
• https://sourceware.org/bugzilla/attachment.cgi?id=16351
• https://sourceware.org/bugzilla/attachment.cgi?id=16357
• https://sourceware.org/bugzilla/show_bug.cgi?id=33455
• https://vuldb.com/?ctiid.328775
• https://vuldb.com/?id.328775
• https://vuldb.com/?submit.661281
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfd_elf_gc_record_vtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 047435dd988a3975d40c6626a8f739a0b2e154bc. To fix this issue, it is recommended to deploy a patch.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11412
• https://sourceware.org/bugzilla/attachment.cgi?id=16378
• https://sourceware.org/bugzilla/show_bug.cgi?id=33452#c8
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=047435dd988a3975d40c6626a8f739a0b2e154bc
• https://vuldb.com/?ctiid.327348
• https://vuldb.com/?id.327348
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33452

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was determined in GNU Binutils 2.45. Affected by this vulnerability is the function get_link_hash_entry of the file bfd/elflink.c of the component Linker. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.46 addresses this issue. Patch name: aeaaa9af6359c8e394ce9cf24911fec4f4d23703. It is advisable to upgrade the affected component.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11414
• https://sourceware.org/bugzilla/attachment.cgi?id=16361
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aeaaa9af6359c8e394ce9cf24911fec4f4d23703
• https://vuldb.com/?ctiid.327350
• https://vuldb.com/?id.327350
• https://vuldb.com/?submit.665591
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33450

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils 2.45. Affected is the function elf_link_add_object_symbols of the file bfd/elflink.c of the component Linker. The manipulation results in out-of-bounds read. The attack needs to be approached locally. The exploit has been made public and could be used. Upgrading to version 2.46 is able to address this issue. The patch is identified as 72efdf166aa0ed72ecc69fc2349af6591a7a19c0. Upgrading the affected component is advised.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11413
• https://sourceware.org/bugzilla/attachment.cgi?id=16362
• https://sourceware.org/bugzilla/show_bug.cgi?id=33456#c10
• https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=72efdf166aa0ed72ecc69fc2349af6591a7a19c0
• https://vuldb.com/?ctiid.327349
• https://vuldb.com/?id.327349
• https://vuldb.com/?submit.665587
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33452

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A security flaw has been discovered in GNU Binutils 2.45. Impacted is the function tg_tag_type of the file prdbg.c. Performing manipulation results in unchecked return value. The attack needs to be approached locally. The exploit has been released to the public and may be exploited.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-11839
• https://sourceware.org/bugzilla/attachment.cgi?id=16344
• https://vuldb.com/?ctiid.328774
• https://vuldb.com/?id.328774
• https://vuldb.com/?submit.661279
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=33448

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for Ubuntu:22.04 expat.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-66382
• https://github.com/libexpat/libexpat/issues/1076
• http://www.openwall.com/lists/oss-security/2025/12/02/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions xmlXPathRunEval, xmlXPathCtxtCompile, and xmlXPathEvalExpr were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.

Remediation

Upgrade Ubuntu:22.04 libxml2 to version 2.9.13+dfsg-1ubuntu0.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9714
• https://gitlab.gnome.org/GNOME/libxml2/-/commit/677a42645ef22b5a50741bad5facf9d8a8bc6d21
• https://lists.debian.org/debian-lts-announce/2025/09/msg00035.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-apt package and not the python-apt package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.

Remediation

Upgrade Ubuntu:22.04 python-apt to version 2.4.0ubuntu4.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6966
• https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/2091865
• https://lists.debian.org/debian-lts-announce/2025/12/msg00019.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability has been found in GNU Binutils 2.43 and classified as problematic. Affected by this vulnerability is the function __sanitizer::internal_strlen of the file binutils/nm.c of the component nm. The manipulation of the argument const leads to buffer overflow. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-1147
• https://sourceware.org/bugzilla/attachment.cgi?id=15881
• https://sourceware.org/bugzilla/show_bug.cgi?id=32556
• https://vuldb.com/?ctiid.295051
• https://vuldb.com/?id.295051
• https://www.gnu.org/
• https://security.netapp.com/advisory/ntap-20250404-0003/
• https://vuldb.com/?submit.485254

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-40217
• https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
• https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00005.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
• https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
• https://security.netapp.com/advisory/ntap-20231006-0014/
• https://www.python.org/dev/security/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-27043
• http://python.com
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/
• http://seclists.org/fulldisclosure/2025/Apr/8
• https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
• http://python.org
• https://github.com/python/cpython/issues/102988
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZAEFSFZDNBNJPNOUTLG5COISGQDLMGV/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/75DTHSTNOFFNAWHXKMDXS7EJWC6W2FUC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ARI7VDSNTQVXRQFM6IK5GSSLEIYV4VZH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BQAKLUJMHFGVBRDPEY57BJGNCE5UUPHW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXYVPEZUA3465AEFX5JVFVP7KIFZMF3N/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N6M5I6OQHJABNEYY555HUMMKX3Y4P25Z/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NEUNZSZ3CVSM2QWVYH3N2XGOCDWNYUA3/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORLXS5YTKN65E2Q2NWKXMFS5FWQHRNZW/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2MAICLFDDO3QVNHTZ2OCERZQ34R2PIC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2W2BZQIHMCKRI5FNBJERFYMS5PK6TAH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PHVGRKQAGANCSGFI3QMYOCIMS4IFOZA5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PU6Y2S5CBN5BWCBDAJFTGIBZLK3S2G3J/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QDRDDPDN3VFIYXJIYEABY6USX5EU66AG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDDC2VOX7OQC6OHMYTVD4HLFZIV6PYBC/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SINP4OVYNB2AGDYI2GS37EMW3H3F7XPZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SOX7BCN6YL7B3RFPEEXPIU5CMTEHJOKR/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VZXC32CJ7TWDPJO6GY2XIQRO7JZX5FLP/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWMBD4LNHWEXRI6YVFWJMTJQUL5WOFTS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQVY5C5REXWJIORJIL2FIL3ALOEJEF72/
• https://python-security.readthedocs.io/vuln/email-parseaddr-realname.html
• https://security.netapp.com/advisory/ntap-20230601-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Ubuntu:22.04 gnupg2.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-68972
• https://media.ccc.de/v/39c3-to-sign-or-not-to-sign-practical-vulnerabilities-i
• https://news.ycombinator.com/item?id=46404339
• https://gpg.fail/formfeed

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue.

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8225
• https://gitlab.com/gnutools/binutils-gdb/-/commit/e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4
• https://vuldb.com/?ctiid.317813
• https://vuldb.com/?id.317813
• https://vuldb.com/?submit.621883
• https://www.gnu.org/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in GNU Binutils 2.43 and classified as problematic. Affected by this issue is the function link_order_scan of the file ld/ldelfgen.c of the component ld. The manipulation leads to memory leak. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The code maintainer explains: "I'm not going to commit some of the leak fixes I've been working on to the 2.44 branch due to concern that would destabilise ld. All of the reported leaks in this bugzilla have been fixed on binutils master."

Remediation

Upgrade Ubuntu:22.04 binutils to version 2.38-4ubuntu2.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-1148
• https://sourceware.org/bugzilla/attachment.cgi?id=15887
• https://sourceware.org/bugzilla/show_bug.cgi?id=32576
• https://vuldb.com/?ctiid.295052
• https://vuldb.com/?id.295052
• https://vuldb.com/?submit.485747
• https://www.gnu.org/
• https://security.netapp.com/advisory/ntap-20250404-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream binutils package and not the binutils package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability classified as problematic has been found in GNU Binutils 2.43. This affects the function _bfd_elf_write_section_eh_frame of the file bfd/elf-eh-frame.c of the component ld. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue.

Remediation

There is no fixed version for Ubuntu:22.04 binutils.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-1180
• https://sourceware.org/bugzilla/attachment.cgi?id=15917
• https://vuldb.com/?ctiid.295083
• https://vuldb.com/?id.295083
• https://www.gnu.org/
• https://sourceware.org/bugzilla/show_bug.cgi?id=32642
• https://vuldb.com/?submit.495381

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

Remediation

Upgrade Ubuntu:22.04 libxml2 to version 2.9.13+dfsg-1ubuntu0.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6170
• https://bugzilla.redhat.com/show_bug.cgi?id=2372952
• https://access.redhat.com/security/cve/CVE-2025-6170
• https://lists.debian.org/debian-lts-announce/2025/07/msg00014.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8058
• https://sourceware.org/bugzilla/show_bug.cgi?id=33185
• https://sourceware.org/git/?p=glibc.git;a=commit;h=3ff17af18c38727b88d9115e536c069e6b5d601f
• http://www.openwall.com/lists/oss-security/2025/07/23/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.20 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-9230
• https://github.com/openssl/openssl/commit/5965ea5dd6960f36d8b7f74f8eac67a8eb8f2b45
• https://github.com/openssl/openssl/commit/9e91358f365dee6c446dcdcdb01c04d2743fd280
• https://github.com/openssl/openssl/commit/a79c4ce559c6a3a8fd4109e9f33c1185d5bf2def
• https://github.com/openssl/openssl/commit/b5282d677551afda7d20e9c00e09561b547b2dfd
• https://github.com/openssl/openssl/commit/bae259a211ada6315dc50900686daaaaaa55f482
• https://github.openssl.org/openssl/extended-releases/commit/c2b96348bfa662f25f4fabf81958ae822063dae3
• https://github.openssl.org/openssl/extended-releases/commit/dfbaf161d8dafc1132dd88cd48ad990ed9b4c8ba
• https://openssl-library.org/news/secadv/20250930.txt
• https://lists.debian.org/debian-lts-announce/2025/10/msg00001.html
• http://www.openwall.com/lists/oss-security/2025/09/30/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.10 package and not the python3.10 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Remediation

Upgrade Ubuntu:22.04 python3.10 to version 3.10.12-1~22.04.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6069
• https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949
• https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41
• https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b
• https://github.com/python/cpython/issues/135462
• https://github.com/python/cpython/pull/135464
• https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/
• https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49
• https://github.com/python/cpython/commit/ab0893fd5c579d9cea30841680e6d35fc478afb5
• https://github.com/python/cpython/commit/f3c6f882cddc8dc30320d2e73edf019e201394fc
• https://github.com/python/cpython/commit/fdc9d214c01cb4588f540cfa03726bbf2a33fc15

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.10 package and not the python3.10 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

Remediation

Upgrade Ubuntu:22.04 python3.10 to version 3.10.12-1~22.04.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6075
• https://github.com/python/cpython/issues/136065
• https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/
• https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c
• https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84
• https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca
• https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742
• https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba
• https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c
• https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.10 package and not the python3.10 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Remediation

Upgrade Ubuntu:22.04 python3.10 to version 3.10.12-1~22.04.11 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8194
• https://github.com/python/cpython/issues/130577
• https://github.com/python/cpython/pull/137027
• https://mail.python.org/archives/list/security-announce@python.org/thread/ZULLF3IZ726XP5EY7XJ7YIN3K5MDYR2D/
• https://github.com/python/cpython/commit/7040aa54f14676938970e10c5f74ea93cd56aa38
• https://github.com/python/cpython/commit/cdae923ffe187d6ef916c0f665a31249619193fe
• https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1
• https://github.com/python/cpython/commit/c9d9f78feb1467e73fd29356c040bde1c104f29f
• https://github.com/python/cpython/commit/fbc2a0ca9ac8aff6887f8ddf79b87b4510277227
• https://github.com/python/cpython/commit/57f5981d6260ed21266e0c26951b8564cc252bc2
• https://github.com/python/cpython/commit/73f03e4808206f71eb6b92c579505a220942ef19
• https://github.com/python/cpython/commit/b4ec17488eedec36d3c05fec127df71c0071f6cb
• http://www.openwall.com/lists/oss-security/2025/07/28/1
• http://www.openwall.com/lists/oss-security/2025/07/28/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.10 package and not the python3.10 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.

Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

Remediation

Upgrade Ubuntu:22.04 python3.10 to version 3.10.12-1~22.04.12 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8291
• https://github.com/python/cpython/pull/139702
• https://mail.python.org/archives/list/security-announce@python.org/thread/QECOPWMTH4VPPJAXAH2BGTA4XADOP62G/
• https://github.com/python/cpython/commit/162997bb70e067668c039700141770687bc8f267
• https://github.com/python/cpython/commit/333d4a6f4967d3ace91492a39ededbcf3faa76a6
• https://github.com/python/cpython/issues/139700
• https://github.com/python/cpython/commit/1d29afb0d6218aa8fb5e1e4a6133a4778d89bb46
• https://github.com/python/cpython/commit/76437ac248ad8ca44e9bf697b02b1e2241df2196
• https://github.com/python/cpython/commit/8392b2f0d35678407d9ce7d95655a5b77de161b4
• https://github.com/python/cpython/commit/bca11ae7d575d87ed93f5dd6a313be6246e3e388
• https://github.com/python/cpython/commit/d11e69d6203080e3ec450446bfed0516727b85c3
• https://github.com/google/security-research/security/advisories/GHSA-hhv7-p4pg-wm6p
• https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2025-12.json

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-6597
• http://www.openwall.com/lists/oss-security/2024/03/20/5
• https://github.com/python/cpython/commit/02a9259c717738dfe6b463c44d7e17f2b6d2cb3a
• https://github.com/python/cpython/commit/5585334d772b253a01a6730e8202ffb1607c3d25
• https://github.com/python/cpython/commit/6ceb8aeda504b079fef7a57b8d81472f15cdd9a5
• https://github.com/python/cpython/commit/81c16cd94ec38d61aa478b9a452436dc3b1b524d
• https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82
• https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b
• https://github.com/python/cpython/issues/91133
• https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00005.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
• https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-0450
• https://security.netapp.com/advisory/ntap-20250411-0005/
• http://www.openwall.com/lists/oss-security/2024/03/20/5
• https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
• https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
• https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675
• https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
• https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
• https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
• https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
• https://github.com/python/cpython/issues/109858
• https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
• https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
• https://lists.debian.org/debian-lts-announce/2024/11/msg00005.html
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
• https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
• https://www.bamsoftware.com/hacks/zipbomb/

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3.11 package and not the python3.11 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Remediation

There is no fixed version for Ubuntu:22.04 python3.11.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-11168
• https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5
• https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550
• https://github.com/python/cpython/issues/103848
• https://github.com/python/cpython/pull/103849
• https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/
• https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e
• https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132
• https://security.netapp.com/advisory/ntap-20250411-0004/
• https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:22.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
• https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
• https://www.gnu.org/software/tar/
• https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
• https://www.gnu.org/software/tar/manual/html_node/Integrity.html
• https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
• http://www.openwall.com/lists/oss-security/2025/11/01/6