UbuntuUpdates.org

Latest Changelogs for all releases

All releases Bionic Focal Jammy Noble Plucky Questing Resolute
Include all PPAs Exclude daily builds PPAs Exclude all PPAs
Include levels: securityupdatesbackportsproposedbase

Note: Only updates for "head" packages where the changelog is available are shown on this page (view all).

mysql-8.4 Jun 2nd 20:07
Release: resolute Repo: universe Level: updates New version: 8.4.9-0ubuntu0.26.04.1
Packages in group:  mysql-router mysql-source mysql-testsuite

  mysql-8.4 (8.4.9-0ubuntu0.26.04.1) resolute-security; urgency=medium

  * SECURITY UPDATE: Update to 8.4.9 to fix security issues
    - debian/mysql-testsuite.install: added new files.
    - CVE-2026-21998, CVE-2026-22001, CVE-2026-22002, CVE-2026-22004,
      CVE-2026-22005, CVE-2026-22009, CVE-2026-22015, CVE-2026-22017,
      CVE-2026-34270, CVE-2026-34271, CVE-2026-34276, CVE-2026-34303,
      CVE-2026-34304, CVE-2026-34308, CVE-2026-34317, CVE-2026-34318,
      CVE-2026-34319, CVE-2026-35236, CVE-2026-35237, CVE-2026-35238,
      CVE-2026-35239, CVE-2026-35240

 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2026 10:10:45 -0400
CVE-2026-21998 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22001 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.
CVE-2026-22002 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22004 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 an
CVE-2026-22005 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
More...

luanti Jun 2nd 20:07
Release: resolute Repo: universe Level: updates New version: 5.10.0+dfsg-5+deb13u1build0.26.04.1
Packages in group:  luanti-data luanti-server minetest minetest-data minetest-server

  luanti (5.10.0+dfsg-5+deb13u1build0.26.04.1) resolute-security; urgency=medium

  * fake sync from Debian

dovecot Jun 2nd 20:07
Release: resolute Repo: universe Level: updates New version: 1:2.4.2+dfsg1-3ubuntu2.1
Packages in group:  dovecot-auth-lua dovecot-flatcurve dovecot-gssapi dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-solr dovecot-sqlite dovecot-submissiond (... see all)

  dovecot (1:2.4.2+dfsg1-3ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: safe filter issue when used with variable expansion
    - debian/patches/CVE-2026-27851.patch: lib-var-expand: Reset safe state when
      transfer is unset in src/lib-var-expand/test-var-expand.c, src/lib-var-
      expand/var-expand.c.
    - CVE-2026-27851
  * SECURITY UPDATE: fake SCRAM TLS channel binding via crafted base64
    - debian/patches/CVE-2026-33603.patch: login-common: Only accept base64 in
      sasl in src/login-common/client-common-auth.c.
    - CVE-2026-33603
  * SECURITY UPDATE: CPU time limits bypass via sieve script
    - debian/patches/CVE-2026-40016.patch: lib-sieve: Enforce CPU time limit
      within :contains and :matches matcher loops in pigeonhole/src/lib-
      sieve/mcht-contains.c, pigeonhole/src/lib-sieve/mcht-matches.c,
      pigeonhole/src/lib-sieve/sieve-interpreter.c, pigeonhole/src/lib-
      sieve/sieve-interpreter.h.
    - CVE-2026-40016
  * SECURITY UPDATE: permission injection via IMAP SETACL command
    - debian/patches/CVE-2026-40020-pre1.patch: acl: Add acl_id_is_valid() in
      src/plugins/acl/acl-rights.c, src/plugins/acl/acl-rights.h.
    - debian/patches/CVE-2026-40020.patch: imap-acl: Fail if ACL identifier is
      invalid in src/plugins/imap-acl/imap-acl-plugin.c.
    - CVE-2026-40020
  * SECURITY UPDATE: memory consumption via excessive bracing over IMAP
    - debian/patches/CVE-2026-42006.patch: lib-imap: Fix
      imap_parser_params.list_count_limit to actually work in src/lib-imap/imap-
      parser.c, src/lib-imap/test-imap-parser.c.
    - CVE-2026-42006

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2026 15:37:54 -0400
CVE-2026-27851 When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe
CVE-2026-33603 Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is
CVE-2026-40016 Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of
CVE-2026-40020 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol
CVE-2026-42006 An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of

mysql-8.4 Jun 2nd 20:07
Release: resolute Repo: main Level: updates New version: 8.4.9-0ubuntu0.26.04.1
Packages in group:  libmysqlclient24 libmysqlclient-dev mysql-client mysql-client-core mysql-server mysql-server-core

  mysql-8.4 (8.4.9-0ubuntu0.26.04.1) resolute-security; urgency=medium

  * SECURITY UPDATE: Update to 8.4.9 to fix security issues
    - debian/mysql-testsuite.install: added new files.
    - CVE-2026-21998, CVE-2026-22001, CVE-2026-22002, CVE-2026-22004,
      CVE-2026-22005, CVE-2026-22009, CVE-2026-22015, CVE-2026-22017,
      CVE-2026-34270, CVE-2026-34271, CVE-2026-34276, CVE-2026-34303,
      CVE-2026-34304, CVE-2026-34308, CVE-2026-34317, CVE-2026-34318,
      CVE-2026-34319, CVE-2026-35236, CVE-2026-35237, CVE-2026-35238,
      CVE-2026-35239, CVE-2026-35240

 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2026 10:10:45 -0400
CVE-2026-21998 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22001 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.
CVE-2026-22002 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22004 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 an
CVE-2026-22005 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
More...

dovecot Jun 2nd 20:07
Release: resolute Repo: main Level: updates New version: 1:2.4.2+dfsg1-3ubuntu2.1
Packages in group:  dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-sieve

  dovecot (1:2.4.2+dfsg1-3ubuntu2.1) resolute-security; urgency=medium

  * SECURITY UPDATE: safe filter issue when used with variable expansion
    - debian/patches/CVE-2026-27851.patch: lib-var-expand: Reset safe state when
      transfer is unset in src/lib-var-expand/test-var-expand.c, src/lib-var-
      expand/var-expand.c.
    - CVE-2026-27851
  * SECURITY UPDATE: fake SCRAM TLS channel binding via crafted base64
    - debian/patches/CVE-2026-33603.patch: login-common: Only accept base64 in
      sasl in src/login-common/client-common-auth.c.
    - CVE-2026-33603
  * SECURITY UPDATE: CPU time limits bypass via sieve script
    - debian/patches/CVE-2026-40016.patch: lib-sieve: Enforce CPU time limit
      within :contains and :matches matcher loops in pigeonhole/src/lib-
      sieve/mcht-contains.c, pigeonhole/src/lib-sieve/mcht-matches.c,
      pigeonhole/src/lib-sieve/sieve-interpreter.c, pigeonhole/src/lib-
      sieve/sieve-interpreter.h.
    - CVE-2026-40016
  * SECURITY UPDATE: permission injection via IMAP SETACL command
    - debian/patches/CVE-2026-40020-pre1.patch: acl: Add acl_id_is_valid() in
      src/plugins/acl/acl-rights.c, src/plugins/acl/acl-rights.h.
    - debian/patches/CVE-2026-40020.patch: imap-acl: Fail if ACL identifier is
      invalid in src/plugins/imap-acl/imap-acl-plugin.c.
    - CVE-2026-40020
  * SECURITY UPDATE: memory consumption via excessive bracing over IMAP
    - debian/patches/CVE-2026-42006.patch: lib-imap: Fix
      imap_parser_params.list_count_limit to actually work in src/lib-imap/imap-
      parser.c, src/lib-imap/test-imap-parser.c.
    - CVE-2026-42006

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2026 15:37:54 -0400
CVE-2026-27851 When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe
CVE-2026-33603 Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is
CVE-2026-40016 Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of
CVE-2026-40020 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol
CVE-2026-42006 An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of

node-tar-fs Jun 2nd 20:07
Release: questing Repo: universe Level: updates New version: 3.0.9+~cs2.0.4-1+deb13u1build0.25.10.1
Packages in group: 

  node-tar-fs (3.0.9+~cs2.0.4-1+deb13u1build0.25.10.1) questing-security; urgency=medium

  * fake sync from Debian

mysql-8.4 Jun 2nd 20:07
Release: questing Repo: universe Level: updates New version: 8.4.9-0ubuntu0.25.10.1
Packages in group:  mysql-router mysql-source mysql-testsuite

  mysql-8.4 (8.4.9-0ubuntu0.25.10.1) questing-security; urgency=medium

  * SECURITY UPDATE: Update to 8.4.9 to fix security issues
    - debian/mysql-testsuite.install: added new files.
    - CVE-2026-21998, CVE-2026-22001, CVE-2026-22002, CVE-2026-22004,
      CVE-2026-22005, CVE-2026-22009, CVE-2026-22015, CVE-2026-22017,
      CVE-2026-34270, CVE-2026-34271, CVE-2026-34276, CVE-2026-34303,
      CVE-2026-34304, CVE-2026-34308, CVE-2026-34317, CVE-2026-34318,
      CVE-2026-34319, CVE-2026-35236, CVE-2026-35237, CVE-2026-35238,
      CVE-2026-35239, CVE-2026-35240

 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2026 10:10:45 -0400
CVE-2026-21998 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22001 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.
CVE-2026-22002 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22004 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 an
CVE-2026-22005 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
More...

luanti Jun 2nd 20:07
Release: questing Repo: universe Level: updates New version: 5.10.0+dfsg-5+deb13u1build0.25.10.1
Packages in group:  luanti-data luanti-server minetest minetest-data minetest-server

  luanti (5.10.0+dfsg-5+deb13u1build0.25.10.1) questing-security; urgency=medium

  * fake sync from Debian

dovecot Jun 2nd 20:07
Release: questing Repo: universe Level: updates New version: 1:2.4.1+dfsg1-5ubuntu4.2
Packages in group:  dovecot-auth-lua dovecot-flatcurve dovecot-gssapi dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-solr dovecot-sqlite dovecot-submissiond (... see all)

  dovecot (1:2.4.1+dfsg1-5ubuntu4.2) questing-security; urgency=medium

  * SECURITY UPDATE: safe filter issue when used with variable expansion
    - debian/patches/CVE-2026-27851.patch: lib-var-expand: Reset safe state when
      transfer is unset in src/lib-var-expand/test-var-expand.c, src/lib-var-
      expand/var-expand.c.
    - CVE-2026-27851
  * SECURITY UPDATE: fake SCRAM TLS channel binding via crafted base64
    - debian/patches/CVE-2026-33603.patch: login-common: Only accept base64 in
      sasl in src/login-common/client-common-auth.c.
    - CVE-2026-33603
  * SECURITY UPDATE: CPU time limits bypass via sieve script
    - debian/patches/CVE-2026-40016.patch: lib-sieve: Enforce CPU time limit
      within :contains and :matches matcher loops in pigeonhole/src/lib-
      sieve/mcht-contains.c, pigeonhole/src/lib-sieve/mcht-matches.c,
      pigeonhole/src/lib-sieve/sieve-interpreter.c, pigeonhole/src/lib-
      sieve/sieve-interpreter.h.
    - CVE-2026-40016
  * SECURITY UPDATE: permission injection via IMAP SETACL command
    - debian/patches/CVE-2026-40020-pre1.patch: acl: Add acl_id_is_valid() in
      src/plugins/acl/acl-rights.c, src/plugins/acl/acl-rights.h.
    - debian/patches/CVE-2026-40020.patch: imap-acl: Fail if ACL identifier is
      invalid in src/plugins/imap-acl/imap-acl-plugin.c.
    - CVE-2026-40020
  * SECURITY UPDATE: memory consumption via excessive bracing over IMAP
    - debian/patches/CVE-2026-42006.patch: lib-imap: Fix
      imap_parser_params.list_count_limit to actually work in src/lib-imap/imap-
      parser.c, src/lib-imap/test-imap-parser.c.
    - CVE-2026-42006

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2026 17:12:04 -0400
CVE-2026-27851 When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe
CVE-2026-33603 Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is
CVE-2026-40016 Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of
CVE-2026-40020 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol
CVE-2026-42006 An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of

mysql-8.4 Jun 2nd 20:07
Release: questing Repo: main Level: updates New version: 8.4.9-0ubuntu0.25.10.1
Packages in group:  libmysqlclient24 libmysqlclient-dev mysql-client mysql-client-core mysql-server mysql-server-core

  mysql-8.4 (8.4.9-0ubuntu0.25.10.1) questing-security; urgency=medium

  * SECURITY UPDATE: Update to 8.4.9 to fix security issues
    - debian/mysql-testsuite.install: added new files.
    - CVE-2026-21998, CVE-2026-22001, CVE-2026-22002, CVE-2026-22004,
      CVE-2026-22005, CVE-2026-22009, CVE-2026-22015, CVE-2026-22017,
      CVE-2026-34270, CVE-2026-34271, CVE-2026-34276, CVE-2026-34303,
      CVE-2026-34304, CVE-2026-34308, CVE-2026-34317, CVE-2026-34318,
      CVE-2026-34319, CVE-2026-35236, CVE-2026-35237, CVE-2026-35238,
      CVE-2026-35239, CVE-2026-35240

 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2026 10:10:45 -0400
CVE-2026-21998 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22001 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.
CVE-2026-22002 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22004 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 an
CVE-2026-22005 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
More...

dovecot Jun 2nd 20:07
Release: questing Repo: main Level: updates New version: 1:2.4.1+dfsg1-5ubuntu4.2
Packages in group:  dovecot-core dovecot-dev dovecot-imapd dovecot-pop3d dovecot-sieve

  dovecot (1:2.4.1+dfsg1-5ubuntu4.2) questing-security; urgency=medium

  * SECURITY UPDATE: safe filter issue when used with variable expansion
    - debian/patches/CVE-2026-27851.patch: lib-var-expand: Reset safe state when
      transfer is unset in src/lib-var-expand/test-var-expand.c, src/lib-var-
      expand/var-expand.c.
    - CVE-2026-27851
  * SECURITY UPDATE: fake SCRAM TLS channel binding via crafted base64
    - debian/patches/CVE-2026-33603.patch: login-common: Only accept base64 in
      sasl in src/login-common/client-common-auth.c.
    - CVE-2026-33603
  * SECURITY UPDATE: CPU time limits bypass via sieve script
    - debian/patches/CVE-2026-40016.patch: lib-sieve: Enforce CPU time limit
      within :contains and :matches matcher loops in pigeonhole/src/lib-
      sieve/mcht-contains.c, pigeonhole/src/lib-sieve/mcht-matches.c,
      pigeonhole/src/lib-sieve/sieve-interpreter.c, pigeonhole/src/lib-
      sieve/sieve-interpreter.h.
    - CVE-2026-40016
  * SECURITY UPDATE: permission injection via IMAP SETACL command
    - debian/patches/CVE-2026-40020-pre1.patch: acl: Add acl_id_is_valid() in
      src/plugins/acl/acl-rights.c, src/plugins/acl/acl-rights.h.
    - debian/patches/CVE-2026-40020.patch: imap-acl: Fail if ACL identifier is
      invalid in src/plugins/imap-acl/imap-acl-plugin.c.
    - CVE-2026-40020
  * SECURITY UPDATE: memory consumption via excessive bracing over IMAP
    - debian/patches/CVE-2026-42006.patch: lib-imap: Fix
      imap_parser_params.list_count_limit to actually work in src/lib-imap/imap-
      parser.c, src/lib-imap/test-imap-parser.c.
    - CVE-2026-42006

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2026 17:12:04 -0400
CVE-2026-27851 When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe
CVE-2026-33603 Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is
CVE-2026-40016 Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of
CVE-2026-40020 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol
CVE-2026-42006 An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of

mysql-8.0 Jun 2nd 20:07
Release: noble Repo: universe Level: updates New version: 8.0.46-0ubuntu0.24.04.2
Packages in group:  mysql-router mysql-source-8.0 mysql-testsuite mysql-testsuite-8.0

  mysql-8.0 (8.0.46-0ubuntu0.24.04.2) noble-security; urgency=medium

  * SECURITY UPDATE: Update to 8.0.46 to fix security issues
    - debian/patches/armhf_parser_test_fix.patch: remove a deep nesting
      test that is failing in a different manner on armhf, causing the
      build to fail.
    - CVE-2026-21998, CVE-2026-22001, CVE-2026-22002, CVE-2026-22004,
      CVE-2026-22005, CVE-2026-22009, CVE-2026-22015, CVE-2026-22017,
      CVE-2026-34267, CVE-2026-34270, CVE-2026-34271, CVE-2026-34276,
      CVE-2026-34278, CVE-2026-34293, CVE-2026-34303, CVE-2026-34304,
      CVE-2026-34308, CVE-2026-34317, CVE-2026-34318, CVE-2026-34319,
      CVE-2026-35236, CVE-2026-35237, CVE-2026-35238, CVE-2026-35239,
      CVE-2026-35240

 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2026 10:03:10 -0400
CVE-2026-21998 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22001 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.
CVE-2026-22002 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22004 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 an
CVE-2026-22005 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
More...

libcommons-lang-java Jun 2nd 20:07
Release: noble Repo: universe Level: updates New version: 2.6-10ubuntu0.1
Packages in group:  libcommons-lang-java-doc

  libcommons-lang-java (2.6-10ubuntu0.1) noble-security; urgency=medium

  * SECURITY UPDATE: denial-of-service due to stack overflow
    - debian/patches/CVE-2025-48924.patch: Rewrite ClassUtils.getClass() without
      recursion to avoid StackOverflowError on very long inputs in
      src/main/java/org/apache/commons/lang/ClassUtils.java. Add test in
      src/test/java/org/apache/commons/lang/ClassUtilsOssFuzzTest.java.
    - CVE-2025-48924

 -- Edwin Jiang <email address hidden> Fri, 29 May 2026 16:55:28 -0400
CVE-2025-48924 Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to

dovecot Jun 2nd 20:07
Release: noble Repo: universe Level: updates New version: 1:2.3.21+dfsg1-2ubuntu6.5
Packages in group:  dovecot-auth-lua dovecot-gssapi dovecot-ldap dovecot-lmtpd dovecot-managesieved dovecot-mysql dovecot-pgsql dovecot-sieve dovecot-solr dovecot-sqlite dovecot-submissiond (... see all)

  dovecot (1:2.3.21+dfsg1-2ubuntu6.5) noble-security; urgency=medium

  * SECURITY UPDATE: fake SCRAM TLS channel binding via crafted base64
    - debian/patches/CVE-2026-33603.patch: login-common: Only accept base64 in
      sasl in src/login-common/client-common-auth.c.
    - CVE-2026-33603
  * SECURITY UPDATE: CPU time limits bypass via sieve script
    - debian/patches/CVE-2026-40016.patch: lib-sieve: Enforce CPU time limit
      within :contains and :matches matcher loops in pigeonhole/src/lib-
      sieve/mcht-contains.c, pigeonhole/src/lib-sieve/mcht-matches.c,
      pigeonhole/src/lib-sieve/sieve-interpreter.c, pigeonhole/src/lib-
      sieve/sieve-interpreter.h.
    - CVE-2026-40016
  * SECURITY UPDATE: permission injection via IMAP SETACL command
    - debian/patches/CVE-2026-40020-pre1.patch: acl: Add acl_id_is_valid() in
      src/plugins/acl/acl-api.c, src/plugins/acl/acl-api.h.
    - debian/patches/CVE-2026-40020.patch: imap-acl: Fail if ACL identifier is
      invalid in src/plugins/imap-acl/imap-acl-plugin.c.
    - CVE-2026-40020
  * SECURITY UPDATE: memory consumption via excessive bracing over IMAP
    - debian/patches/CVE-2026-42006.patch: lib-imap: Fix
      imap_parser_params.list_count_limit to actually work in src/lib-imap/imap-
      parser.c, src/lib-imap/test-imap-parser.c.
    - CVE-2026-42006

 -- Marc Deslauriers <email address hidden> Thu, 28 May 2026 17:23:32 -0400
CVE-2026-33603 Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is
CVE-2026-40016 Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of
CVE-2026-40020 Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes fol
CVE-2026-42006 An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of

mysql-8.0 Jun 2nd 20:07
Release: noble Repo: main Level: updates New version: 8.0.46-0ubuntu0.24.04.2
Packages in group:  libmysqlclient21 libmysqlclient-dev mysql-client mysql-client-8.0 mysql-client-core-8.0 mysql-server mysql-server-8.0 mysql-server-core-8.0

  mysql-8.0 (8.0.46-0ubuntu0.24.04.2) noble-security; urgency=medium

  * SECURITY UPDATE: Update to 8.0.46 to fix security issues
    - debian/patches/armhf_parser_test_fix.patch: remove a deep nesting
      test that is failing in a different manner on armhf, causing the
      build to fail.
    - CVE-2026-21998, CVE-2026-22001, CVE-2026-22002, CVE-2026-22004,
      CVE-2026-22005, CVE-2026-22009, CVE-2026-22015, CVE-2026-22017,
      CVE-2026-34267, CVE-2026-34270, CVE-2026-34271, CVE-2026-34276,
      CVE-2026-34278, CVE-2026-34293, CVE-2026-34303, CVE-2026-34304,
      CVE-2026-34308, CVE-2026-34317, CVE-2026-34318, CVE-2026-34319,
      CVE-2026-35236, CVE-2026-35237, CVE-2026-35238, CVE-2026-35239,
      CVE-2026-35240

 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2026 10:03:10 -0400
CVE-2026-21998 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22001 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Information Schema). Supported versions that are affected are 8.0.0-8.
CVE-2026-22002 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
CVE-2026-22004 Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 an
CVE-2026-22005 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4
More...


About   -   Send Feedback to @ubuntu_updates