NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45491
• https://github.com/libexpat/libexpat/issues/888
• https://github.com/libexpat/libexpat/pull/891
• https://security.netapp.com/advisory/ntap-20241018-0003/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45492
• https://github.com/libexpat/libexpat/issues/889
• https://github.com/libexpat/libexpat/pull/892
• https://security.netapp.com/advisory/ntap-20241018-0005/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Remediation

Upgrade Ubuntu:22.04 krb5 to version 1.19.2-2ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-37371
• https://security.netapp.com/advisory/ntap-20241108-0009/
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.

Remediation

Upgrade Ubuntu:22.04 wget to version 1.21.2-2ubuntu1.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-38428
• https://security.netapp.com/advisory/ntap-20241115-0005/
• https://git.savannah.gnu.org/cgit/wget.git/commit/?id=ed0c7c7e0e8f7298352646b2fd6e06a11e242ace
• https://lists.debian.org/debian-lts-announce/2025/04/msg00029.html
• https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Remediation

Upgrade Ubuntu:22.04 krb5 to version 1.19.2-2ubuntu0.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-3596
• https://www.kb.cert.org/vuls/id/456537
• https://security.netapp.com/advisory/ntap-20240822-0001/
• https://today.ucsd.edu/story/computer-scientists-discover-vulnerabilities-in-a-popular-security-protocol
• https://cert-portal.siemens.com/productcert/html/ssa-723487.html
• https://cert-portal.siemens.com/productcert/html/ssa-794185.html
• http://www.openwall.com/lists/oss-security/2024/07/09/4
• https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/
• https://datatracker.ietf.org/doc/html/rfc2865
• https://networkradius.com/assets/pdf/radius_and_md5_collisions.pdf
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014
• https://www.blastradius.fail/

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

Remediation

Upgrade Ubuntu:22.04 libssh to version 0.9.6-2ubuntu0.22.04.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5372
• https://access.redhat.com/security/cve/CVE-2025-5372
• https://bugzilla.redhat.com/show_bug.cgi?id=2369388

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32988
• https://access.redhat.com/security/cve/CVE-2025-32988
• https://bugzilla.redhat.com/show_bug.cgi?id=2359622

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32990
• https://access.redhat.com/security/cve/CVE-2025-32990
• https://bugzilla.redhat.com/show_bug.cgi?id=2359620

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Remediation

Upgrade Ubuntu:22.04 freetype to version 2.11.1+dfsg-1ubuntu0.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-27363
• https://www.facebook.com/security/advisories/cve-2025-27363
• http://www.openwall.com/lists/oss-security/2025/03/13/1
• http://www.openwall.com/lists/oss-security/2025/03/13/11
• http://www.openwall.com/lists/oss-security/2025/03/13/12
• http://www.openwall.com/lists/oss-security/2025/03/13/2
• http://www.openwall.com/lists/oss-security/2025/03/13/3
• http://www.openwall.com/lists/oss-security/2025/03/13/8
• http://www.openwall.com/lists/oss-security/2025/03/14/1
• http://www.openwall.com/lists/oss-security/2025/03/14/2
• http://www.openwall.com/lists/oss-security/2025/03/14/3
• http://www.openwall.com/lists/oss-security/2025/03/14/4
• http://www.openwall.com/lists/oss-security/2025/05/06/3
• https://lists.debian.org/debian-lts-announce/2025/03/msg00030.html
• https://source.android.com/docs/security/bulletin/2025-05-01
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/tin-z/CVE-2025-27363

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Remediation

Upgrade Ubuntu:22.04 libssh to version 0.9.6-2ubuntu0.22.04.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-5318
• https://access.redhat.com/security/cve/CVE-2025-5318
• https://bugzilla.redhat.com/show_bug.cgi?id=2369131
• https://www.libssh.org/security/advisories/CVE-2025-5318.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream bash package and not the bash package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.

Remediation

Upgrade Ubuntu:22.04 bash to version 5.1-6ubuntu1.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3715
• https://bugzilla.redhat.com/show_bug.cgi?id=2126720

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

Remediation

Upgrade Ubuntu:22.04 pam to version 1.4.0-11ubuntu2.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6020
• https://access.redhat.com/security/cve/CVE-2025-6020
• https://bugzilla.redhat.com/show_bug.cgi?id=2372512
• http://www.openwall.com/lists/oss-security/2025/06/17/1
• https://access.redhat.com/errata/RHSA-2025:9526
• https://access.redhat.com/errata/RHSA-2025:10024
• https://access.redhat.com/errata/RHSA-2025:10027
• https://access.redhat.com/errata/RHSA-2025:10180
• https://access.redhat.com/errata/RHSA-2025:10354
• https://access.redhat.com/errata/RHSA-2025:10357
• https://access.redhat.com/errata/RHSA-2025:10358
• https://access.redhat.com/errata/RHSA-2025:10359
• https://access.redhat.com/errata/RHSA-2025:10361
• https://access.redhat.com/errata/RHSA-2025:10362
• https://access.redhat.com/errata/RHSA-2025:10735
• https://access.redhat.com/errata/RHSA-2025:10823
• https://access.redhat.com/errata/RHSA-2025:11386
• https://access.redhat.com/errata/RHSA-2025:11487
• https://access.redhat.com/errata/RHSA-2025:14557
• https://access.redhat.com/errata/RHSA-2025:15099

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-8176
• https://access.redhat.com/security/cve/CVE-2024-8176
• https://bugzilla.redhat.com/show_bug.cgi?id=2310137
• https://github.com/libexpat/libexpat/issues/893
• http://www.openwall.com/lists/oss-security/2025/03/15/1
• https://blog.hartwork.org/posts/expat-2-7-0-released/
• https://bugzilla.suse.com/show_bug.cgi?id=1239618
• https://github.com/libexpat/libexpat/blob/R_2_7_0/expat/Changes#L40-L52
• https://gitlab.alpinelinux.org/alpine/aports/-/commit/d068c3ff36fc6f4789988a09c69b434db757db53
• https://security-tracker.debian.org/tracker/CVE-2024-8176
• https://ubuntu.com/security/CVE-2024-8176
• https://security.netapp.com/advisory/ntap-20250328-0009/
• https://access.redhat.com/errata/RHSA-2025:3531
• https://access.redhat.com/errata/RHSA-2025:3734
• https://access.redhat.com/errata/RHSA-2025:3913
• https://access.redhat.com/errata/RHSA-2025:4048
• https://access.redhat.com/errata/RHSA-2025:4447
• https://access.redhat.com/errata/RHSA-2025:4446
• https://access.redhat.com/errata/RHSA-2025:4448
• https://access.redhat.com/errata/RHSA-2025:4449
• https://www.kb.cert.org/vuls/id/760160
• https://access.redhat.com/errata/RHSA-2025:7444
• https://access.redhat.com/errata/RHSA-2025:7512
• https://access.redhat.com/errata/RHSA-2025:8385
• https://access.redhat.com/errata/RHSA-2025:13681

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-45490
• https://github.com/libexpat/libexpat/issues/887
• https://github.com/libexpat/libexpat/pull/890
• https://security.netapp.com/advisory/ntap-20241018-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade Ubuntu:22.04 krb5 to version 1.19.2-2ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-37370
• https://security.netapp.com/advisory/ntap-20241108-0007/
• https://github.com/krb5/krb5/commit/55fbf435edbe2e92dd8101669b1ce7144bc96fef
• https://web.mit.edu/kerberos/www/advisories/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of service.

Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program.

Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.18 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-6119
• https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f
• https://github.com/openssl/openssl/commit/06d1dc3fa96a2ba5a3e22735a033012aadc9f0d6
• https://github.com/openssl/openssl/commit/621f3729831b05ee828a3203eddb621d014ff2b2
• https://github.com/openssl/openssl/commit/7dfcee2cd2a63b2c64b9b4b0850be64cb695b0a0
• https://openssl-library.org/news/secadv/20240903.txt
• http://www.openwall.com/lists/oss-security/2024/09/03/4
• https://lists.freebsd.org/archives/freebsd-security/2024-September/000303.html
• https://security.netapp.com/advisory/ntap-20240912-0001/

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The Diffie-Hellman Key Agreement Protocol allows use of long exponents that arguably make certain calculations unnecessarily expensive, because the 1996 van Oorschot and Wiener paper found that "(appropriately) short exponents" can be used when there are adequate subgroup constraints, and these short exponents can lead to less expensive calculations than for long exponents. This issue is different from CVE-2002-20001 because it is based on an observation about exponent size, rather than an observation about numbers that are not public keys. The specific situations in which calculation expense would constitute a server-side vulnerability depend on the protocol (e.g., TLS, SSH, or IKE) and the DHE implementation details. In general, there might be an availability concern because of server-side resource consumption from DHE modular-exponentiation calculations. Finally, it is possible for an attacker to exploit this vulnerability and CVE-2002-20001 together.

Remediation

Upgrade Ubuntu:22.04 openssl to version 3.0.2-0ubuntu1.16 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-40735
• https://dheatattack.gitlab.io/
• https://gist.github.com/c0r0n3r/9455ddcab985c50fd1912eabf26e058b
• https://github.com/mozilla/ssl-config-generator/issues/162
• https://ieeexplore.ieee.org/document/10374117
• https://link.springer.com/content/pdf/10.1007/3-540-68339-9_29.pdf
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
• https://raw.githubusercontent.com/CVEProject/cvelist/9d7fbbcabd3f44cfedc9e8807757d31ece85a2c6/2022/40xxx/CVE-2022-40735.json
• https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol/links/546c144f0cf20dedafd53e7e/Security-Issues-in-the-Diffie-Hellman-Key-Agreement-Protocol.pdf
• https://www.rfc-editor.org/rfc/rfc3526
• https://www.rfc-editor.org/rfc/rfc4419
• https://www.rfc-editor.org/rfc/rfc5114#section-4
• https://www.rfc-editor.org/rfc/rfc7919#section-5.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen() getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

Remediation

Upgrade Ubuntu:22.04 curl to version 7.81.0-1ubuntu1.17 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-7264
• https://curl.se/docs/CVE-2024-7264.html
• https://curl.se/docs/CVE-2024-7264.json
• https://hackerone.com/reports/2629968
• http://www.openwall.com/lists/oss-security/2024/07/31/1
• https://github.com/curl/curl/commit/27959ecce75cdb2809c0bdb3286e60e08fadb519
• https://security.netapp.com/advisory/ntap-20240828-0008/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-6395
• https://access.redhat.com/security/cve/CVE-2025-6395
• https://bugzilla.redhat.com/show_bug.cgi?id=2376755

NVD Description

Note: Versions mentioned in the description apply only to the upstream wget package and not the wget package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Wget through 1.21.1 does not omit the Authorization header upon a redirect to a different origin, a related issue to CVE-2018-1000007.

Remediation

There is no fixed version for Ubuntu:22.04 wget.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-31879
• https://security.netapp.com/advisory/ntap-20210618-0002/
• https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5 package and not the krb5 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Remediation

Upgrade Ubuntu:22.04 krb5 to version 1.19.2-2ubuntu0.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-3576
• https://access.redhat.com/security/cve/CVE-2025-3576
• https://bugzilla.redhat.com/show_bug.cgi?id=2359465
• https://lists.debian.org/debian-lts-announce/2025/05/msg00047.html
• https://access.redhat.com/errata/RHSA-2025:8411
• https://access.redhat.com/errata/RHSA-2025:9418
• https://access.redhat.com/errata/RHSA-2025:9430
• https://access.redhat.com/errata/RHSA-2025:11487
• https://web.mit.edu/kerberos/krb5-1.22/krb5-1.22.html
• https://access.redhat.com/errata/RHSA-2025:13664
• https://access.redhat.com/errata/RHSA-2025:13777
• https://access.redhat.com/errata/RHSA-2025:15000
• https://access.redhat.com/errata/RHSA-2025:15002
• https://access.redhat.com/errata/RHSA-2025:15004
• https://access.redhat.com/errata/RHSA-2025:15001
• https://access.redhat.com/errata/RHSA-2025:15003

NVD Description

Note: Versions mentioned in the description apply only to the upstream apr package and not the apr package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data.

This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h)

Users are recommended to upgrade to APR version 1.7.5, which fixes this issue.

Remediation

Upgrade Ubuntu:22.04 apr to version 1.7.0-8ubuntu0.22.04.2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-49582
• https://lists.apache.org/thread/sntjc04t1rvjhdzz2tzmtz2zdnmv7dc4
• http://www.openwall.com/lists/oss-security/2024/08/26/1
• https://security.netapp.com/advisory/ntap-20241101-0004/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12243
• https://access.redhat.com/security/cve/CVE-2024-12243
• https://bugzilla.redhat.com/show_bug.cgi?id=2344615
• https://gitlab.com/gnutls/libtasn1/-/issues/52
• https://lists.debian.org/debian-lts-announce/2025/02/msg00027.html
• https://access.redhat.com/errata/RHSA-2025:4051
• https://access.redhat.com/errata/RHSA-2025:7076
• https://access.redhat.com/errata/RHSA-2025:8020
• https://security.netapp.com/advisory/ntap-20250523-0002/
• https://access.redhat.com/errata/RHSA-2025:8385

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-32989
• https://access.redhat.com/security/cve/CVE-2025-32989
• https://bugzilla.redhat.com/show_bug.cgi?id=2359621

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1-6 package and not the libtasn1-6 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

Remediation

Upgrade Ubuntu:22.04 libtasn1-6 to version 4.18.0-4ubuntu0.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-12133
• https://access.redhat.com/security/cve/CVE-2024-12133
• https://bugzilla.redhat.com/show_bug.cgi?id=2344611
• https://gitlab.com/gnutls/libtasn1/-/issues/52
• http://www.openwall.com/lists/oss-security/2025/02/06/6
• https://lists.debian.org/debian-lts-announce/2025/02/msg00025.html
• https://access.redhat.com/errata/RHSA-2025:4049
• https://access.redhat.com/errata/RHSA-2025:7077
• https://access.redhat.com/errata/RHSA-2025:8021
• https://security.netapp.com/advisory/ntap-20250523-0003/
• https://access.redhat.com/errata/RHSA-2025:8385

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.

Remediation

There is no fixed version for Ubuntu:22.04 libssh.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-8114
• https://access.redhat.com/security/cve/CVE-2025-8114
• https://bugzilla.redhat.com/show_bug.cgi?id=2383220

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in PAM. The secret information is stored in memory, where the attacker can trigger the victim program to execute by sending characters to its standard input (stdin). As this occurs, the attacker can train the branch predictor to execute an ROP chain speculatively. This flaw could result in leaked passwords, such as those found in /etc/shadow while performing authentications.

Remediation

There is no fixed version for Ubuntu:22.04 pam.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-10041
• https://access.redhat.com/security/cve/CVE-2024-10041
• https://bugzilla.redhat.com/show_bug.cgi?id=2319212
• https://access.redhat.com/errata/RHSA-2024:9941
• https://access.redhat.com/errata/RHSA-2024:10379
• https://access.redhat.com/errata/RHSA-2024:11250

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Remediation

Upgrade Ubuntu:22.04 systemd to version 249.11-0ubuntu3.16 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4598
• https://access.redhat.com/security/cve/CVE-2025-4598
• https://bugzilla.redhat.com/show_bug.cgi?id=2369242
• https://www.openwall.com/lists/oss-security/2025/05/29/3
• http://www.openwall.com/lists/oss-security/2025/06/05/1
• http://www.openwall.com/lists/oss-security/2025/06/05/3
• https://blogs.oracle.com/linux/post/analysis-of-cve-2025-4598
• https://ciq.com/blog/the-real-danger-of-systemd-coredump-cve-2025-4598/
• https://www.openwall.com/lists/oss-security/2025/08/18/3

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh.

Remediation

Upgrade Ubuntu:22.04 libssh to version 0.9.6-2ubuntu0.22.04.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4877
• https://access.redhat.com/security/cve/CVE-2025-4877
• https://bugzilla.redhat.com/show_bug.cgi?id=2376193
• https://git.libssh.org/projects/libssh.git/commit/?h=stable-0.11&id=6fd9cc8ce3958092a1aae11f1f2e911b2747732d
• https://www.libssh.org/security/advisories/CVE-2025-4877.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

Remediation

Upgrade Ubuntu:22.04 libssh to version 0.9.6-2ubuntu0.22.04.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4878
• https://access.redhat.com/security/cve/CVE-2025-4878
• https://bugzilla.redhat.com/show_bug.cgi?id=2376184
• https://git.libssh.org/projects/libssh.git/commit/?id=697650caa97eaf7623924c75f9fcfec6dd423cd1
• https://git.libssh.org/projects/libssh.git/commit/?id=b35ee876adc92a208d47194772e99f9c71e0bedb

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.

Remediation

Upgrade Ubuntu:22.04 curl to version 7.81.0-1ubuntu1.18 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-8096
• https://curl.se/docs/CVE-2024-8096.html
• https://curl.se/docs/CVE-2024-8096.json
• https://hackerone.com/reports/2669852
• http://www.openwall.com/lists/oss-security/2024/09/11/1
• https://lists.debian.org/debian-lts-announce/2024/11/msg00008.html
• https://security.netapp.com/advisory/ntap-20241011-0005/

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

Remediation

Upgrade Ubuntu:22.04 expat to version 2.4.7-1ubuntu0.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-50602
• https://github.com/libexpat/libexpat/pull/915
• https://security.netapp.com/advisory/ntap-20250404-0008/
• https://lists.debian.org/debian-lts-announce/2025/04/msg00040.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-2961
• https://www.ambionics.io/blog/iconv-cve-2024-2961-p1
• https://www.ambionics.io/blog/iconv-cve-2024-2961-p2
• https://www.ambionics.io/blog/iconv-cve-2024-2961-p3
• http://www.openwall.com/lists/oss-security/2024/04/17/9
• http://www.openwall.com/lists/oss-security/2024/04/18/4
• http://www.openwall.com/lists/oss-security/2024/04/24/2
• http://www.openwall.com/lists/oss-security/2024/05/27/1
• http://www.openwall.com/lists/oss-security/2024/05/27/2
• http://www.openwall.com/lists/oss-security/2024/05/27/3
• http://www.openwall.com/lists/oss-security/2024/05/27/4
• http://www.openwall.com/lists/oss-security/2024/05/27/5
• http://www.openwall.com/lists/oss-security/2024/05/27/6
• http://www.openwall.com/lists/oss-security/2024/07/22/5
• https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
• https://security.netapp.com/advisory/ntap-20240531-0002/
• https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
• https://github.com/ambionics/cnext-exploits
• https://github.com/projectdiscovery/nuclei-templates/blob/main/dast/cves/2024/CVE-2024-2961.yaml

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

nscd: Stack-based buffer overflow in netgroup cache

If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-33599
• http://www.openwall.com/lists/oss-security/2024/07/22/5
• https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html
• https://security.netapp.com/advisory/ntap-20240524-0011/
• https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0005

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-33600
• http://www.openwall.com/lists/oss-security/2024/07/22/5
• https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html
• https://security.netapp.com/advisory/ntap-20240524-0013/
• https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0006

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

nscd: netgroup cache may terminate daemon on memory allocation failure

The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-33601
• http://www.openwall.com/lists/oss-security/2024/07/22/5
• https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html
• https://security.netapp.com/advisory/ntap-20240524-0014/
• https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

nscd: netgroup cache assumes NSS callback uses in-buffer strings

The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.8 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-33602
• http://www.openwall.com/lists/oss-security/2024/07/22/5
• https://lists.debian.org/debian-lts-announce/2024/06/msg00026.html
• https://security.netapp.com/advisory/ntap-20240524-0012/
• https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0008

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-0395
• https://sourceware.org/bugzilla/show_bug.cgi?id=32582
• https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2025-0001
• https://sourceware.org/pipermail/libc-announce/2025/000044.html
• https://www.openwall.com/lists/oss-security/2025/01/22/4
• http://www.openwall.com/lists/oss-security/2025/01/22/4
• http://www.openwall.com/lists/oss-security/2025/01/23/2
• https://security.netapp.com/advisory/ntap-20250228-0006/
• http://www.openwall.com/lists/oss-security/2025/04/13/1
• http://www.openwall.com/lists/oss-security/2025/04/24/7
• https://lists.debian.org/debian-lts-announce/2025/04/msg00039.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Remediation

Upgrade Ubuntu:22.04 glibc to version 2.35-0ubuntu3.10 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-4802
• https://sourceware.org/bugzilla/show_bug.cgi?id=32976
• https://sourceware.org/cgit/glibc/commit/?id=1e18586c5820e329f741d5c710275e165581380e
• http://www.openwall.com/lists/oss-security/2025/05/16/7
• http://www.openwall.com/lists/oss-security/2025/05/17/2

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

Remediation

Upgrade Ubuntu:22.04 gnupg2 to version 2.2.27-3ubuntu2.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-30258
• https://dev.gnupg.org/T7527
• https://dev.gnupg.org/rG48978ccb4e20866472ef18436a32744350a65158
• https://lists.gnupg.org/pipermail/gnupg-announce/2025q1/000491.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "certtool --verify-chain" command.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-28835
• http://www.openwall.com/lists/oss-security/2024/03/22/1
• http://www.openwall.com/lists/oss-security/2024/03/22/2
• https://access.redhat.com/errata/RHSA-2024:1879
• https://access.redhat.com/errata/RHSA-2024:2570
• https://access.redhat.com/errata/RHSA-2024:2889
• https://access.redhat.com/security/cve/CVE-2024-28835
• https://bugzilla.redhat.com/show_bug.cgi?id=2269084
• https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
• https://security.netapp.com/advisory/ntap-20241122-0009/

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

Remediation

Upgrade Ubuntu:22.04 gnutls28 to version 3.7.3-4ubuntu1.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-28834
• http://www.openwall.com/lists/oss-security/2024/03/22/1
• http://www.openwall.com/lists/oss-security/2024/03/22/2
• https://people.redhat.com/~hkario/marvin/
• https://security.netapp.com/advisory/ntap-20240524-0004/
• https://access.redhat.com/errata/RHSA-2024:1784
• https://access.redhat.com/errata/RHSA-2024:1879
• https://access.redhat.com/errata/RHSA-2024:1997
• https://access.redhat.com/errata/RHSA-2024:2044
• https://access.redhat.com/errata/RHSA-2024:2570
• https://access.redhat.com/errata/RHSA-2024:2889
• https://access.redhat.com/security/cve/CVE-2024-28834
• https://bugzilla.redhat.com/show_bug.cgi?id=2269228
• https://lists.gnupg.org/pipermail/gnutls-help/2024-March/004845.html
• https://minerva.crocs.fi.muni.cz/

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade Ubuntu:22.04 krb5 to version 1.19.2-2ubuntu0.6 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-24528

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap2 package and not the libcap2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

The PAM module pam_cap.so of libcap configuration supports group names starting with “@”, during actual parsing, configurations not starting with “@” are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to security risks. Attackers can exploit this vulnerability to achieve local privilege escalation on systems where /etc/security/capability.conf is used to configure user inherited privileges by constructing specific usernames.

Remediation

Upgrade Ubuntu:22.04 libcap2 to version 1:2.44-1ubuntu0.22.04.2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-1390
• https://bugzilla.openanolis.cn/show_bug.cgi?id=18804

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Remediation

Upgrade Ubuntu:22.04 nghttp2 to version 1.43.0-1ubuntu0.2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-28182
• http://www.openwall.com/lists/oss-security/2024/04/03/16
• https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
• https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
• https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
• https://lists.debian.org/debian-lts-announce/2024/04/msg00026.html
• https://lists.debian.org/debian-lts-announce/2024/09/msg00041.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGOME6ZXJG7664IPQNVE3DL67E3YP3HY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J6ZMXUGB66VAXDW5J6QSTHM5ET25FGSA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PXJO2EASHM2OQQLGVDY5ZSO7UVDVHTDK/

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

Perl threads have a working directory race condition where file operations may target unintended paths.

If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running.

This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.

The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

Remediation

Upgrade Ubuntu:22.04 perl to version 5.34.0-3ubuntu1.5 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-40909
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
• https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e
• https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
• https://github.com/Perl/perl5/issues/10387
• https://github.com/Perl/perl5/issues/23010
• https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
• https://www.openwall.com/lists/oss-security/2025/05/22/2
• http://www.openwall.com/lists/oss-security/2025/05/23/1
• http://www.openwall.com/lists/oss-security/2025/05/30/4
• http://www.openwall.com/lists/oss-security/2025/06/02/2
• http://www.openwall.com/lists/oss-security/2025/06/02/5
• http://www.openwall.com/lists/oss-security/2025/06/02/6
• http://www.openwall.com/lists/oss-security/2025/06/02/7
• http://www.openwall.com/lists/oss-security/2025/06/03/1

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

A heap buffer overflow vulnerability was discovered in Perl.

Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10.

When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.

   $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped)

It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

Remediation

Upgrade Ubuntu:22.04 perl to version 5.34.0-3ubuntu1.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-56406
• https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
• https://metacpan.org/release/SHAY/perl-5.38.4/changes
• https://metacpan.org/release/SHAY/perl-5.40.2/changes
• http://www.openwall.com/lists/oss-security/2025/04/13/3
• http://www.openwall.com/lists/oss-security/2025/04/13/4
• http://www.openwall.com/lists/oss-security/2025/04/13/5

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:22.04 tar.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2025-45582
• https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
• https://www.gnu.org/software/tar/
• https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
• https://www.gnu.org/software/tar/manual/html_node/Integrity.html
• https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Ubuntu. See How to fix? for Ubuntu:22.04 relevant fixed versions and status.

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

Remediation

Upgrade Ubuntu:22.04 util-linux to version 2.37.2-4ubuntu3.3 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2024-28085
• http://www.openwall.com/lists/oss-security/2024/03/27/5
• http://www.openwall.com/lists/oss-security/2024/03/27/6
• http://www.openwall.com/lists/oss-security/2024/03/27/7
• http://www.openwall.com/lists/oss-security/2024/03/27/8
• http://www.openwall.com/lists/oss-security/2024/03/27/9
• http://www.openwall.com/lists/oss-security/2024/03/28/1
• http://www.openwall.com/lists/oss-security/2024/03/28/2
• http://www.openwall.com/lists/oss-security/2024/03/28/3
• https://github.com/skyler-ferrante/CVE-2024-28085
• https://github.com/util-linux/util-linux/security/advisories/GHSA-xv2h-c6ww-mrjq
• https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html
• https://mirrors.edge.kernel.org/pub/linux/utils/util-linux/
• https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt
• https://security.netapp.com/advisory/ntap-20240531-0003/
• https://www.openwall.com/lists/oss-security/2024/03/27/5