Bugs addressed in recent updates
| Origin | Bug number | Title | Packages |
|---|---|---|---|
| CVE | CVE-2026-6473 | Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and wri | postgresql-18 postgresql-18 postgresql-17 postgresql-17 postgresql-16 postgresql-16 postgresql-14 postgresql-14 postgresql-18 postgresql-18 postgresql-17 postgresql-16 postgresql-16 postgresql-14 postgresql-14 postgresql-17 |
| CVE | CVE-2026-6479 | Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained d | postgresql-18 postgresql-18 postgresql-17 postgresql-17 postgresql-16 postgresql-16 postgresql-14 postgresql-14 postgresql-18 postgresql-18 postgresql-17 postgresql-16 postgresql-16 postgresql-14 postgresql-14 postgresql-17 |
| Launchpad | 2152636 | New PostgreSQL upstream microreleases 14.23, 16.14, 17.10, and 18.4 | postgresql-18 postgresql-18 postgresql-17 postgresql-17 postgresql-16 postgresql-16 postgresql-14 postgresql-14 postgresql-18 postgresql-18 postgresql-17 postgresql-16 postgresql-16 postgresql-14 postgresql-14 postgresql-17 |
| CVE | CVE-2026-5950 | An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated atta | bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 |
| CVE | CVE-2026-5947 | Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SI | bind9 bind9 bind9 bind9 |
| CVE | CVE-2026-5946 | Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or ` | bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 |
| CVE | CVE-2026-3593 | A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 thr | bind9 bind9 bind9 bind9 |
| CVE | CVE-2026-3592 | BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone | bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 |
| CVE | CVE-2026-3039 | BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving an | bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 bind9 |
| CVE | CVE-2026-5121 | A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote at | libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive |
| CVE | CVE-2026-4426 | A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a fiel | libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive |
| CVE | CVE-2026-4424 | A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of t | libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive libarchive |
| Launchpad | 2139280 | [SRU] Please update to 20260116.00 | gce-compute-image-packages gce-compute-image-packages gce-compute-image-packages |
| Launchpad | 2139302 | [SRU] Please update to 20260116.00 | google-compute-engine-oslogin google-compute-engine-oslogin google-compute-engine-oslogin |
| Launchpad | 2139288 | [SRU] Please update to 20251028.00 | google-osconfig-agent google-osconfig-agent google-osconfig-agent |
| Launchpad | 2152641 | in Ubuntu Cinnamon 26.04 where the remote repositories for Applets, Desklets, and Extensions are not loading. The \u2018Download\u2019 section remain | cinnamon |
| Launchpad | 2152764 | [SRU] Black background instead of shadows when annotating in spectacle | kquickimageeditor |
| CVE | CVE-2026-40354 | Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack o | xdg-desktop-portal xdg-desktop-portal xdg-desktop-portal xdg-desktop-portal xdg-desktop-portal xdg-desktop-portal xdg-desktop-portal xdg-desktop-portal |
| CVE | CVE-2026-41163 | bubblewrap is a low-level unprivileged sandboxing tool. From version 0.11.0 to before version 0.11.2, if bubblewrap is installed in setuid mode then | bubblewrap bubblewrap bubblewrap bubblewrap |
| CVE | CVE-2026-45232 | Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c th | rsync rsync rsync rsync rsync rsync rsync rsync |
About
-
Send Feedback to @ubuntu_updates
