{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "curl",
                "fwupd",
                "gzip",
                "iproute2",
                "libcurl3t64-gnutls",
                "libcurl4t64",
                "libfwupd3",
                "libgcrypt20",
                "libnghttp2-14",
                "libnss3",
                "libpython3.14",
                "libpython3.14-minimal",
                "libpython3.14-stdlib",
                "libsqlite3-0",
                "libssh2-1t64",
                "openssh-client",
                "openssh-server",
                "openssh-sftp-server",
                "python3-software-properties",
                "python3.14",
                "python3.14-gdbm",
                "python3.14-minimal",
                "software-properties-common",
                "tar",
                "tzdata",
                "ubuntu-kernel-accessories",
                "ubuntu-minimal",
                "ubuntu-server",
                "ubuntu-standard",
                "vim",
                "vim-common",
                "vim-runtime",
                "vim-tiny",
                "xxd"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "curl",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.1",
                    "version": "8.18.0-1ubuntu2.1"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.3",
                    "version": "8.18.0-1ubuntu2.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-10536",
                        "url": "https://ubuntu.com/security/CVE-2026-10536",
                        "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11352",
                        "url": "https://ubuntu.com/security/CVE-2026-11352",
                        "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11564",
                        "url": "https://ubuntu.com/security/CVE-2026-11564",
                        "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11586",
                        "url": "https://ubuntu.com/security/CVE-2026-11586",
                        "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12064",
                        "url": "https://ubuntu.com/security/CVE-2026-12064",
                        "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8926",
                        "url": "https://ubuntu.com/security/CVE-2026-8926",
                        "cve_description": "When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9079",
                        "url": "https://ubuntu.com/security/CVE-2026-9079",
                        "cve_description": "libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9545",
                        "url": "https://ubuntu.com/security/CVE-2026-9545",
                        "cve_description": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.  When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9080",
                        "url": "https://ubuntu.com/security/CVE-2026-9080",
                        "cve_description": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-10536",
                                "url": "https://ubuntu.com/security/CVE-2026-10536",
                                "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11352",
                                "url": "https://ubuntu.com/security/CVE-2026-11352",
                                "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11564",
                                "url": "https://ubuntu.com/security/CVE-2026-11564",
                                "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11586",
                                "url": "https://ubuntu.com/security/CVE-2026-11586",
                                "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12064",
                                "url": "https://ubuntu.com/security/CVE-2026-12064",
                                "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Use after free in curl_easy_reset.",
                            "    - debian/patches/CVE-2026-10536.patch: Deprecate CURLOPT_* in",
                            "      include/curl/curl.h, lib/http2.c,",
                            "      lib/setopt.c, lib/url.c, and lib/urldata.h",
                            "    - CVE-2026-10536",
                            "  * SECURITY UPDATE: Denial of service in QUIC UDP.",
                            "    - debian/patches/CVE-2026-11352.patch: Count zero-length UDP packets",
                            "      and enforce an upper bound in",
                            "      lib/vquic/vquic.c",
                            "    - CVE-2026-11352",
                            "  * SECURITY UPDATE: Improper certificate validation in native_ca_store.",
                            "    - debian/patches/CVE-2026-11564.patch: Add bit native_ca_store_opt to",
                            "      keep the setting of CURLOPT_(PROXY_)SSL_OPTIONS and use that to",
                            "      calculate every easy transfer if a native CA store shall be used or",
                            "      not in lib/doh.c, lib/setopt.c, and lib/vtls/vtls.c",
                            "    - CVE-2026-11564",
                            "  * SECURITY UPDATE: Memory exhaustion in ws.c",
                            "    - debian/patches/CVE-2026-11586.patch: Do not send PONG frames unless",
                            "      there is sufficient space left in the websocket send buffer in",
                            "      lib/ws.c.",
                            "    - CVE-2026-11586",
                            "  * SECURITY UPDATE: Improper validation in config2setopts.",
                            "    - debian/patches/CVE-2026-12064.patch: Use default protocol properly in",
                            "      src/config2setopts.c.",
                            "    - CVE-2026-12064",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.3",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 06 Jul 2026 10:45:44 -0600"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8926",
                                "url": "https://ubuntu.com/security/CVE-2026-8926",
                                "cve_description": "When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9079",
                                "url": "https://ubuntu.com/security/CVE-2026-9079",
                                "cve_description": "libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9545",
                                "url": "https://ubuntu.com/security/CVE-2026-9545",
                                "cve_description": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.  When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9080",
                                "url": "https://ubuntu.com/security/CVE-2026-9080",
                                "cve_description": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in netrc.",
                            "    - debian/patches/CVE-2026-8926.patch: Do not return a password from",
                            "      parsenetrc() when the requested login did not match the credentials",
                            "      found for the matched machine in lib/netrc.c.",
                            "    - CVE-2026-8926",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - debian/patches/CVE-2026-9079.patch: Verify NULLed proxy credentials",
                            "      in lib/setopt.c.",
                            "    - debian/patches/CVE-2026-9545.patch: Hard fail when certificate",
                            "      verification fails in lib/vquic/curl_ngtcp2.c.",
                            "    - CVE-2026-8927",
                            "    - CVE-2026-9079",
                            "    - CVE-2026-9545",
                            "  * SECURITY UPDATE: Use-after-free in curl_easy_parse",
                            "    - debian/patches/CVE-2026-9080.patch: Introduce magic struct field to",
                            "      assert against NULL pointers in lib/multi_ev.c",
                            "    - CVE-2026-9080",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Thu, 25 Jun 2026 15:11:42 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "fwupd",
                "from_version": {
                    "source_package_name": "fwupd",
                    "source_package_version": "2.1.1-1ubuntu3",
                    "version": "2.1.1-1ubuntu3"
                },
                "to_version": {
                    "source_package_name": "fwupd",
                    "source_package_version": "2.1.1-1ubuntu3.1",
                    "version": "2.1.1-1ubuntu3.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2148183,
                    2156480,
                    2156479,
                    2156612
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch",
                            "    - Fix recovery key prompt for multi-boot systems. Previously an error made",
                            "      fwupdmgr prompt all systems where hardware-backed FDE was detected, when",
                            "      it should only verify against the current system IFF it is running under",
                            "      snapd FDE. (LP: #2148183)",
                            "    - Fix incorrect error propagation. If CTRL-D was sent, the process would",
                            "      expose an incorrect error propagation in the recovery key verification.",
                            "      (LP: #2156480)",
                            "    - Link to Ubuntu TPM docs if snapd FDE is detected. Previously bugs",
                            "      related to this temporary patch could get reported upstream, leading",
                            "      to confusion as this is a short-term solution that will not get merged",
                            "      upstream.",
                            "  * d/p/mtd-fall-back-to-generic-firmware.patch: Fix an error on MTD devices",
                            "      where gtype was incorrectly set to G_TYPE_INVALID (LP: #2156479)",
                            "  * d/p/fix-device-locker-crash.patch: Fix an error where the genesys-gl32xx",
                            "      plugin would crash due to using the wrong detach and attach callbacks",
                            "      (LP: #2156612)",
                            ""
                        ],
                        "package": "fwupd",
                        "version": "2.1.1-1ubuntu3.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2148183,
                            2156480,
                            2156479,
                            2156612
                        ],
                        "author": "Simon Johnsson <simon.johnsson@canonical.com>",
                        "date": "Thu, 18 Jun 2026 16:01:12 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "gzip",
                "from_version": {
                    "source_package_name": "gzip",
                    "source_package_version": "1.14-1~exp2ubuntu1",
                    "version": "1.14-1~exp2ubuntu1"
                },
                "to_version": {
                    "source_package_name": "gzip",
                    "source_package_version": "1.14-1~exp2ubuntu1.1",
                    "version": "1.14-1~exp2ubuntu1.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-41991",
                        "url": "https://ubuntu.com/security/CVE-2026-41991",
                        "cve_description": "GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.  This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-29 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-41992",
                        "url": "https://ubuntu.com/security/CVE-2026-41992",
                        "cve_description": "GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.  This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-29 12:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-41991",
                                "url": "https://ubuntu.com/security/CVE-2026-41991",
                                "cve_description": "GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.  This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-29 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-41992",
                                "url": "https://ubuntu.com/security/CVE-2026-41992",
                                "cve_description": "GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.  This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-29 12:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: insecure temp file handling",
                            "    - debian/patches/CVE-2026-41991.patch: gzexe: use -C if lacking mktemp in",
                            "      gzexe.in, zdiff.in.",
                            "    - CVE-2026-41991",
                            "  * SECURITY UPDATE: overflow in LZH decompression logic",
                            "    - debian/patches/CVE-2026-41992.patch: gzip: don’t mishandle .lzh after .Z",
                            "      in unlzh.c.",
                            "    - CVE-2026-41992",
                            ""
                        ],
                        "package": "gzip",
                        "version": "1.14-1~exp2ubuntu1.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Fri, 03 Jul 2026 07:51:25 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "iproute2",
                "from_version": {
                    "source_package_name": "iproute2",
                    "source_package_version": "6.19.0-1ubuntu1",
                    "version": "6.19.0-1ubuntu1"
                },
                "to_version": {
                    "source_package_name": "iproute2",
                    "source_package_version": "6.19.0-1ubuntu1.1",
                    "version": "6.19.0-1ubuntu1.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2147525
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Modify tc/tbf and tc/htb to allow 64 bit burst parameter (LP: #2147525)",
                            "    - /d/p/lp2147525-1-tc-tbf-enable-64-bit-burst.patch",
                            "    - /d/p/lp2147525-2-tc-htb-enable-64-bit-burst.patch",
                            ""
                        ],
                        "package": "iproute2",
                        "version": "6.19.0-1ubuntu1.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2147525
                        ],
                        "author": "Ioana Lazea <ioana.lazea@canonical.com>",
                        "date": "Thu, 09 Apr 2026 11:47:09 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libcurl3t64-gnutls",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.1",
                    "version": "8.18.0-1ubuntu2.1"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.3",
                    "version": "8.18.0-1ubuntu2.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-10536",
                        "url": "https://ubuntu.com/security/CVE-2026-10536",
                        "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11352",
                        "url": "https://ubuntu.com/security/CVE-2026-11352",
                        "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11564",
                        "url": "https://ubuntu.com/security/CVE-2026-11564",
                        "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11586",
                        "url": "https://ubuntu.com/security/CVE-2026-11586",
                        "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12064",
                        "url": "https://ubuntu.com/security/CVE-2026-12064",
                        "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8926",
                        "url": "https://ubuntu.com/security/CVE-2026-8926",
                        "cve_description": "When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9079",
                        "url": "https://ubuntu.com/security/CVE-2026-9079",
                        "cve_description": "libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9545",
                        "url": "https://ubuntu.com/security/CVE-2026-9545",
                        "cve_description": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.  When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9080",
                        "url": "https://ubuntu.com/security/CVE-2026-9080",
                        "cve_description": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-10536",
                                "url": "https://ubuntu.com/security/CVE-2026-10536",
                                "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11352",
                                "url": "https://ubuntu.com/security/CVE-2026-11352",
                                "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11564",
                                "url": "https://ubuntu.com/security/CVE-2026-11564",
                                "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11586",
                                "url": "https://ubuntu.com/security/CVE-2026-11586",
                                "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12064",
                                "url": "https://ubuntu.com/security/CVE-2026-12064",
                                "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Use after free in curl_easy_reset.",
                            "    - debian/patches/CVE-2026-10536.patch: Deprecate CURLOPT_* in",
                            "      include/curl/curl.h, lib/http2.c,",
                            "      lib/setopt.c, lib/url.c, and lib/urldata.h",
                            "    - CVE-2026-10536",
                            "  * SECURITY UPDATE: Denial of service in QUIC UDP.",
                            "    - debian/patches/CVE-2026-11352.patch: Count zero-length UDP packets",
                            "      and enforce an upper bound in",
                            "      lib/vquic/vquic.c",
                            "    - CVE-2026-11352",
                            "  * SECURITY UPDATE: Improper certificate validation in native_ca_store.",
                            "    - debian/patches/CVE-2026-11564.patch: Add bit native_ca_store_opt to",
                            "      keep the setting of CURLOPT_(PROXY_)SSL_OPTIONS and use that to",
                            "      calculate every easy transfer if a native CA store shall be used or",
                            "      not in lib/doh.c, lib/setopt.c, and lib/vtls/vtls.c",
                            "    - CVE-2026-11564",
                            "  * SECURITY UPDATE: Memory exhaustion in ws.c",
                            "    - debian/patches/CVE-2026-11586.patch: Do not send PONG frames unless",
                            "      there is sufficient space left in the websocket send buffer in",
                            "      lib/ws.c.",
                            "    - CVE-2026-11586",
                            "  * SECURITY UPDATE: Improper validation in config2setopts.",
                            "    - debian/patches/CVE-2026-12064.patch: Use default protocol properly in",
                            "      src/config2setopts.c.",
                            "    - CVE-2026-12064",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.3",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 06 Jul 2026 10:45:44 -0600"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8926",
                                "url": "https://ubuntu.com/security/CVE-2026-8926",
                                "cve_description": "When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9079",
                                "url": "https://ubuntu.com/security/CVE-2026-9079",
                                "cve_description": "libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9545",
                                "url": "https://ubuntu.com/security/CVE-2026-9545",
                                "cve_description": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.  When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9080",
                                "url": "https://ubuntu.com/security/CVE-2026-9080",
                                "cve_description": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in netrc.",
                            "    - debian/patches/CVE-2026-8926.patch: Do not return a password from",
                            "      parsenetrc() when the requested login did not match the credentials",
                            "      found for the matched machine in lib/netrc.c.",
                            "    - CVE-2026-8926",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - debian/patches/CVE-2026-9079.patch: Verify NULLed proxy credentials",
                            "      in lib/setopt.c.",
                            "    - debian/patches/CVE-2026-9545.patch: Hard fail when certificate",
                            "      verification fails in lib/vquic/curl_ngtcp2.c.",
                            "    - CVE-2026-8927",
                            "    - CVE-2026-9079",
                            "    - CVE-2026-9545",
                            "  * SECURITY UPDATE: Use-after-free in curl_easy_parse",
                            "    - debian/patches/CVE-2026-9080.patch: Introduce magic struct field to",
                            "      assert against NULL pointers in lib/multi_ev.c",
                            "    - CVE-2026-9080",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Thu, 25 Jun 2026 15:11:42 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libcurl4t64",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.1",
                    "version": "8.18.0-1ubuntu2.1"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.3",
                    "version": "8.18.0-1ubuntu2.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-10536",
                        "url": "https://ubuntu.com/security/CVE-2026-10536",
                        "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11352",
                        "url": "https://ubuntu.com/security/CVE-2026-11352",
                        "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11564",
                        "url": "https://ubuntu.com/security/CVE-2026-11564",
                        "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11586",
                        "url": "https://ubuntu.com/security/CVE-2026-11586",
                        "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12064",
                        "url": "https://ubuntu.com/security/CVE-2026-12064",
                        "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8926",
                        "url": "https://ubuntu.com/security/CVE-2026-8926",
                        "cve_description": "When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9079",
                        "url": "https://ubuntu.com/security/CVE-2026-9079",
                        "cve_description": "libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9545",
                        "url": "https://ubuntu.com/security/CVE-2026-9545",
                        "cve_description": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.  When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9080",
                        "url": "https://ubuntu.com/security/CVE-2026-9080",
                        "cve_description": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-10536",
                                "url": "https://ubuntu.com/security/CVE-2026-10536",
                                "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11352",
                                "url": "https://ubuntu.com/security/CVE-2026-11352",
                                "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11564",
                                "url": "https://ubuntu.com/security/CVE-2026-11564",
                                "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11586",
                                "url": "https://ubuntu.com/security/CVE-2026-11586",
                                "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12064",
                                "url": "https://ubuntu.com/security/CVE-2026-12064",
                                "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Use after free in curl_easy_reset.",
                            "    - debian/patches/CVE-2026-10536.patch: Deprecate CURLOPT_* in",
                            "      include/curl/curl.h, lib/http2.c,",
                            "      lib/setopt.c, lib/url.c, and lib/urldata.h",
                            "    - CVE-2026-10536",
                            "  * SECURITY UPDATE: Denial of service in QUIC UDP.",
                            "    - debian/patches/CVE-2026-11352.patch: Count zero-length UDP packets",
                            "      and enforce an upper bound in",
                            "      lib/vquic/vquic.c",
                            "    - CVE-2026-11352",
                            "  * SECURITY UPDATE: Improper certificate validation in native_ca_store.",
                            "    - debian/patches/CVE-2026-11564.patch: Add bit native_ca_store_opt to",
                            "      keep the setting of CURLOPT_(PROXY_)SSL_OPTIONS and use that to",
                            "      calculate every easy transfer if a native CA store shall be used or",
                            "      not in lib/doh.c, lib/setopt.c, and lib/vtls/vtls.c",
                            "    - CVE-2026-11564",
                            "  * SECURITY UPDATE: Memory exhaustion in ws.c",
                            "    - debian/patches/CVE-2026-11586.patch: Do not send PONG frames unless",
                            "      there is sufficient space left in the websocket send buffer in",
                            "      lib/ws.c.",
                            "    - CVE-2026-11586",
                            "  * SECURITY UPDATE: Improper validation in config2setopts.",
                            "    - debian/patches/CVE-2026-12064.patch: Use default protocol properly in",
                            "      src/config2setopts.c.",
                            "    - CVE-2026-12064",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.3",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 06 Jul 2026 10:45:44 -0600"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'.  libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.  When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8926",
                                "url": "https://ubuntu.com/security/CVE-2026-8926",
                                "cve_description": "When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9079",
                                "url": "https://ubuntu.com/security/CVE-2026-9079",
                                "cve_description": "libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9545",
                                "url": "https://ubuntu.com/security/CVE-2026-9545",
                                "cve_description": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate.  When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9080",
                                "url": "https://ubuntu.com/security/CVE-2026-9080",
                                "cve_description": "Calling `curl_easy_pause()` within the event-based `CURLMOPT_SOCKETFUNCTION` callback triggers a use-after-free vulnerability, where libcurl attempts to store a flag using a dangling struct pointer immediately after that pointer's memory has been freed.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in netrc.",
                            "    - debian/patches/CVE-2026-8926.patch: Do not return a password from",
                            "      parsenetrc() when the requested login did not match the credentials",
                            "      found for the matched machine in lib/netrc.c.",
                            "    - CVE-2026-8926",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - debian/patches/CVE-2026-9079.patch: Verify NULLed proxy credentials",
                            "      in lib/setopt.c.",
                            "    - debian/patches/CVE-2026-9545.patch: Hard fail when certificate",
                            "      verification fails in lib/vquic/curl_ngtcp2.c.",
                            "    - CVE-2026-8927",
                            "    - CVE-2026-9079",
                            "    - CVE-2026-9545",
                            "  * SECURITY UPDATE: Use-after-free in curl_easy_parse",
                            "    - debian/patches/CVE-2026-9080.patch: Introduce magic struct field to",
                            "      assert against NULL pointers in lib/multi_ev.c",
                            "    - CVE-2026-9080",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Thu, 25 Jun 2026 15:11:42 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libfwupd3",
                "from_version": {
                    "source_package_name": "fwupd",
                    "source_package_version": "2.1.1-1ubuntu3",
                    "version": "2.1.1-1ubuntu3"
                },
                "to_version": {
                    "source_package_name": "fwupd",
                    "source_package_version": "2.1.1-1ubuntu3.1",
                    "version": "2.1.1-1ubuntu3.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2148183,
                    2156480,
                    2156479,
                    2156612
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch",
                            "    - Fix recovery key prompt for multi-boot systems. Previously an error made",
                            "      fwupdmgr prompt all systems where hardware-backed FDE was detected, when",
                            "      it should only verify against the current system IFF it is running under",
                            "      snapd FDE. (LP: #2148183)",
                            "    - Fix incorrect error propagation. If CTRL-D was sent, the process would",
                            "      expose an incorrect error propagation in the recovery key verification.",
                            "      (LP: #2156480)",
                            "    - Link to Ubuntu TPM docs if snapd FDE is detected. Previously bugs",
                            "      related to this temporary patch could get reported upstream, leading",
                            "      to confusion as this is a short-term solution that will not get merged",
                            "      upstream.",
                            "  * d/p/mtd-fall-back-to-generic-firmware.patch: Fix an error on MTD devices",
                            "      where gtype was incorrectly set to G_TYPE_INVALID (LP: #2156479)",
                            "  * d/p/fix-device-locker-crash.patch: Fix an error where the genesys-gl32xx",
                            "      plugin would crash due to using the wrong detach and attach callbacks",
                            "      (LP: #2156612)",
                            ""
                        ],
                        "package": "fwupd",
                        "version": "2.1.1-1ubuntu3.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2148183,
                            2156480,
                            2156479,
                            2156612
                        ],
                        "author": "Simon Johnsson <simon.johnsson@canonical.com>",
                        "date": "Thu, 18 Jun 2026 16:01:12 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libgcrypt20",
                "from_version": {
                    "source_package_name": "libgcrypt20",
                    "source_package_version": "1.12.0-2ubuntu0.1",
                    "version": "1.12.0-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "libgcrypt20",
                    "source_package_version": "1.12.0-2ubuntu1",
                    "version": "1.12.0-2ubuntu1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2154120
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * d/p/riscv-fix-vlen-greater-128: Fix computing on RISC-V ",
                            "    with VLEN > 128 (LP: #2154120)",
                            ""
                        ],
                        "package": "libgcrypt20",
                        "version": "1.12.0-2ubuntu1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2154120
                        ],
                        "author": "Valentin Haudiquet <valentin.haudiquet@canonical.com>",
                        "date": "Fri, 29 May 2026 14:01:44 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnghttp2-14",
                "from_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.68.0-2ubuntu0.1",
                    "version": "1.68.0-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.68.0-2ubuntu0.2",
                    "version": "1.68.0-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-58055",
                        "url": "https://ubuntu.com/security/CVE-2026-58055",
                        "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-28 02:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-58055",
                                "url": "https://ubuntu.com/security/CVE-2026-58055",
                                "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-28 02:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP request/response smuggling issue",
                            "    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP",
                            "      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,",
                            "      src/shrpx_http2_upstream.cc, src/shrpx_http3_upstream.cc,",
                            "      src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.",
                            "    - CVE-2026-58055",
                            ""
                        ],
                        "package": "nghttp2",
                        "version": "1.68.0-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 30 Jun 2026 12:37:58 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnss3",
                "from_version": {
                    "source_package_name": "nss",
                    "source_package_version": "2:3.120-1ubuntu2",
                    "version": "2:3.120-1ubuntu2"
                },
                "to_version": {
                    "source_package_name": "nss",
                    "source_package_version": "2:3.120-1ubuntu2.1",
                    "version": "2:3.120-1ubuntu2.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-12318",
                        "url": "https://ubuntu.com/security/CVE-2026-12318",
                        "cve_description": "Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-16 13:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-12318",
                                "url": "https://ubuntu.com/security/CVE-2026-12318",
                                "cve_description": "Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-16 13:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: OOB read in pk11uri_ParseAttributes",
                            "    - debian/patches/CVE-2026-12318.patch: improve handling of escape",
                            "      sequences in nss/lib/util/pkcs11uri.c.",
                            "    - CVE-2026-12318",
                            ""
                        ],
                        "package": "nss",
                        "version": "2:3.120-1ubuntu2.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 07:22:24 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.14",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.14-minimal",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.14-stdlib",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libsqlite3-0",
                "from_version": {
                    "source_package_name": "sqlite3",
                    "source_package_version": "3.46.1-9",
                    "version": "3.46.1-9"
                },
                "to_version": {
                    "source_package_name": "sqlite3",
                    "source_package_version": "3.46.1-9ubuntu0.1",
                    "version": "3.46.1-9ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-11822",
                        "url": "https://ubuntu.com/security/CVE-2026-11822",
                        "cve_description": "SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11824",
                        "url": "https://ubuntu.com/security/CVE-2026-11824",
                        "cve_description": "SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 20:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-11822",
                                "url": "https://ubuntu.com/security/CVE-2026-11822",
                                "cve_description": "SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11824",
                                "url": "https://ubuntu.com/security/CVE-2026-11824",
                                "cve_description": "SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 20:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: security issues in FTS5 full-text search",
                            "    - debian/patches/CVE-2026-11822_4.patch: Fix logic in ext/fts5/fts5_index.c.",
                            "    - CVE-2026-11822",
                            "    - CVE-2026-11824",
                            ""
                        ],
                        "package": "sqlite3",
                        "version": "3.46.1-9ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 16 Jun 2026 13:48:21 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libssh2-1t64",
                "from_version": {
                    "source_package_name": "libssh2",
                    "source_package_version": "1.11.1-1ubuntu0.26.04.1",
                    "version": "1.11.1-1ubuntu0.26.04.1"
                },
                "to_version": {
                    "source_package_name": "libssh2",
                    "source_package_version": "1.11.1-1ubuntu0.26.04.3",
                    "version": "1.11.1-1ubuntu0.26.04.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-5805",
                        "url": "https://ubuntu.com/security/CVE-2026-5805",
                        "cve_description": "",
                        "cve_priority": "n/a",
                        "cve_public_date": ""
                    },
                    {
                        "cve": "CVE-2026-58051",
                        "url": "https://ubuntu.com/security/CVE-2026-58051",
                        "cve_description": "libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-28 02:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-58050",
                        "url": "https://ubuntu.com/security/CVE-2026-58050",
                        "cve_description": "libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-28 02:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-15661",
                        "url": "https://ubuntu.com/security/CVE-2025-15661",
                        "cve_description": "libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-18 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55199",
                        "url": "https://ubuntu.com/security/CVE-2026-55199",
                        "cve_description": "libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-17 20:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55200",
                        "url": "https://ubuntu.com/security/CVE-2026-55200",
                        "cve_description": "libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-17 20:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-5805",
                                "url": "https://ubuntu.com/security/CVE-2026-5805",
                                "cve_description": "",
                                "cve_priority": "n/a",
                                "cve_public_date": ""
                            },
                            {
                                "cve": "CVE-2026-58051",
                                "url": "https://ubuntu.com/security/CVE-2026-58051",
                                "cve_description": "libssh2 through 1.11.1 grows its publickey list with SSH2_REALLOC but does not zero-initialize new entries before parsing populates them, so a parse failure reaching the cleanup path leaves libssh2_publickey_list_free operating on an uninitialized entry. A malicious SSH server offering the publickey subsystem can use a malformed response to make cleanup free an uninitialized, attacker-influenceable attrs pointer in a connecting libssh2 client.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-28 02:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-58050",
                                "url": "https://ubuntu.com/security/CVE-2026-58050",
                                "cve_description": "libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking, so on 32-bit platforms the multiplication overflows to an undersized buffer. A malicious SSH server can then drive the attribute-parsing loop to write past the allocation, causing a heap buffer overflow in a connecting libssh2 client.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-28 02:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Multiple security issues in publickey",
                            "    - debian/patches/CVE-2026-5805x-pre1.patch: fix potential arbitrary free",
                            "      in libssh2_publickey_list_fetch().",
                            "    - debian/patches/CVE-2026-5805x-pre2.patch: fix potential multiplication",
                            "      overflow in 32-bit libssh2_publickey_list_fetch().",
                            "    - debian/patches/CVE-2026-5805x-pre3.patch: cap packet size in",
                            "      publickey_packet_receive().",
                            "    - debian/patches/CVE-2026-5805x-pre4.patch: fix leaks when",
                            "      publickey_response_success() received <8 bytes.",
                            "    - debian/patches/CVE-2026-5805x-pre5.patch: fix potential OOB read in",
                            "      publickey_response_success().",
                            "    - debian/patches/CVE-2026-58051.patch: fix potential OOB read in",
                            "      libssh2_publickey_list_fetch().",
                            "    - debian/patches/CVE-2026-5805x-pre6.patch: fix potential OOB read.",
                            "    - debian/patches/CVE-2026-5805x-pre7.patch: flatten bounds check if blocks",
                            "      (tidy-up).",
                            "    - debian/patches/CVE-2026-5805x-pre8.patch: rework bounds checks to avoid",
                            "      pointer comparisons.",
                            "    - debian/patches/CVE-2026-58050.patch: cap variable-length packet element",
                            "      sizes.",
                            "    - CVE-2026-58050",
                            "    - CVE-2026-58051",
                            ""
                        ],
                        "package": "libssh2",
                        "version": "1.11.1-1ubuntu0.26.04.3",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 07 Jul 2026 14:23:05 -0400"
                    },
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-15661",
                                "url": "https://ubuntu.com/security/CVE-2025-15661",
                                "cve_description": "libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-18 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55199",
                                "url": "https://ubuntu.com/security/CVE-2026-55199",
                                "cve_description": "libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-17 20:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55200",
                                "url": "https://ubuntu.com/security/CVE-2026-55200",
                                "cve_description": "libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-17 20:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: OOB read in sftp_symlink()",
                            "    - debian/patches/CVE-2025-15661-pre1.patch: add LIBSSH2_UNCONST() in",
                            "      src/libssh2_priv.h.",
                            "    - debian/patches/CVE-2025-15661.patch: Update sftp_symlink to avoid out of",
                            "      bounds read on malformed packet in src/sftp.c.",
                            "    - CVE-2025-15661",
                            "  * SECURITY UPDATE: pre-authentication denial of service via CPU loop",
                            "    - debian/patches/CVE-2026-55199.patch: packet: check `_libssh2_get_string()`",
                            "      return in `EXT_INFO` handler in src/packet.c.",
                            "    - CVE-2026-55199",
                            "  * SECURITY UPDATE: code exec via OOB write in ssh2_transport_read()",
                            "    - debian/patches/CVE-2026-55200.patch: transport.c: Additional boundary",
                            "      checks for packet length in src/transport.c.",
                            "    - CVE-2026-55200",
                            ""
                        ],
                        "package": "libssh2",
                        "version": "1.11.1-1ubuntu0.26.04.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 29 Jun 2026 09:11:08 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "openssh-client",
                "from_version": {
                    "source_package_name": "openssh",
                    "source_package_version": "1:10.2p1-2ubuntu3.2",
                    "version": "1:10.2p1-2ubuntu3.2"
                },
                "to_version": {
                    "source_package_name": "openssh",
                    "source_package_version": "1:10.2p1-2ubuntu3.4",
                    "version": "1:10.2p1-2ubuntu3.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59995",
                        "url": "https://ubuntu.com/security/CVE-2026-59995",
                        "cve_description": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59996",
                        "url": "https://ubuntu.com/security/CVE-2026-59996",
                        "cve_description": "scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59997",
                        "url": "https://ubuntu.com/security/CVE-2026-59997",
                        "cve_description": "internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59998",
                        "url": "https://ubuntu.com/security/CVE-2026-59998",
                        "cve_description": "sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59999",
                        "url": "https://ubuntu.com/security/CVE-2026-59999",
                        "cve_description": "In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60000",
                        "url": "https://ubuntu.com/security/CVE-2026-60000",
                        "cve_description": "sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60001",
                        "url": "https://ubuntu.com/security/CVE-2026-60001",
                        "cve_description": "sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60002",
                        "url": "https://ubuntu.com/security/CVE-2026-60002",
                        "cve_description": "ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2151817
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59995",
                                "url": "https://ubuntu.com/security/CVE-2026-59995",
                                "cve_description": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59996",
                                "url": "https://ubuntu.com/security/CVE-2026-59996",
                                "cve_description": "scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59997",
                                "url": "https://ubuntu.com/security/CVE-2026-59997",
                                "cve_description": "internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59998",
                                "url": "https://ubuntu.com/security/CVE-2026-59998",
                                "cve_description": "sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59999",
                                "url": "https://ubuntu.com/security/CVE-2026-59999",
                                "cve_description": "In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60000",
                                "url": "https://ubuntu.com/security/CVE-2026-60000",
                                "cve_description": "sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60001",
                                "url": "https://ubuntu.com/security/CVE-2026-60001",
                                "cve_description": "sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60002",
                                "url": "https://ubuntu.com/security/CVE-2026-60002",
                                "cve_description": "ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: sftp downloaded files location issue",
                            "    - debian/patches/CVE-2026-59995.patch: upstream: avoid download to server-",
                            "      controlled path when performing in sftp.c.",
                            "    - CVE-2026-59995",
                            "  * SECURITY UPDATE: scp parent directory issue",
                            "    - debian/patches/CVE-2026-59996.patch: upstream: resist that return \"..\" via",
                            "      remote glob during in scp.c.",
                            "    - CVE-2026-59996",
                            "  * SECURITY UPDATE: internal-sftp ignores more than 9 commandline args",
                            "    - debian/patches/CVE-2026-59997.patch: upstream: pass >9 commandline",
                            "      arguments to the internal-sftp server, in session.c.",
                            "    - CVE-2026-59997",
                            "  * SECURITY UPDATE: undocumented GSSAPIStrictAcceptorCheck behaviour",
                            "    - debian/patches/CVE-2026-59998.patch: upstream: mention a caveat regarding",
                            "      GSSAPIStrictAcceptorCheck in in sshd_config.5.",
                            "    - CVE-2026-59998",
                            "  * SECURITY UPDATE: DisableForwarding=yes not taking proper precedence",
                            "    - debian/patches/CVE-2026-59999.patch: upstream: DisableForwarding=yes",
                            "      didn't override PermitTunnel=yes in serverloop.c.",
                            "    - CVE-2026-59999",
                            "  * SECURITY UPDATE: DoS via MaxAuthTries mishandling",
                            "    - debian/patches/CVE-2026-60000-1.patch: upstream: Fix multiple RFC 4462",
                            "      (GSSAPIAuthentication) compliance in auth2-gss.c.",
                            "    - debian/patches/CVE-2026-60000-2.patch: upstream: unused variables in",
                            "      auth2-gss.c.",
                            "    - CVE-2026-60000",
                            "  * SECURITY UPDATE: minimum authentication delay not always honoured",
                            "    - debian/patches/CVE-2026-60001.patch: upstream: Fix cases in GSSAPI and",
                            "      keyboard-interactive in auth.h, auth2-chall.c, auth2-gss.c, auth2.c.",
                            "    - CVE-2026-60001",
                            "  * SECURITY UPDATE: Use-after-free during a key re-exchange",
                            "    - debian/patches/CVE-2026-60002.patch: upstream: fix ownership and lifetime",
                            "      of several bits of client in ssh.c, sshconnect.c, sshconnect.h,",
                            "      sshconnect2.c.",
                            "    - CVE-2026-60002",
                            ""
                        ],
                        "package": "openssh",
                        "version": "1:10.2p1-2ubuntu3.4",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 09 Jul 2026 14:06:35 -0400"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * d/p/lp2151817-fix-pam-short-names-{1,2}.patch:",
                            "    - Cherry-pick upstream patch to fix PAM with short names (LP: #2151817)",
                            ""
                        ],
                        "package": "openssh",
                        "version": "1:10.2p1-2ubuntu3.3",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2151817
                        ],
                        "author": "Grayson Wolf <grayson.wolf@canonical.com>",
                        "date": "Tue, 09 Jun 2026 16:33:11 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "openssh-server",
                "from_version": {
                    "source_package_name": "openssh",
                    "source_package_version": "1:10.2p1-2ubuntu3.2",
                    "version": "1:10.2p1-2ubuntu3.2"
                },
                "to_version": {
                    "source_package_name": "openssh",
                    "source_package_version": "1:10.2p1-2ubuntu3.4",
                    "version": "1:10.2p1-2ubuntu3.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59995",
                        "url": "https://ubuntu.com/security/CVE-2026-59995",
                        "cve_description": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59996",
                        "url": "https://ubuntu.com/security/CVE-2026-59996",
                        "cve_description": "scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59997",
                        "url": "https://ubuntu.com/security/CVE-2026-59997",
                        "cve_description": "internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59998",
                        "url": "https://ubuntu.com/security/CVE-2026-59998",
                        "cve_description": "sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59999",
                        "url": "https://ubuntu.com/security/CVE-2026-59999",
                        "cve_description": "In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60000",
                        "url": "https://ubuntu.com/security/CVE-2026-60000",
                        "cve_description": "sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60001",
                        "url": "https://ubuntu.com/security/CVE-2026-60001",
                        "cve_description": "sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60002",
                        "url": "https://ubuntu.com/security/CVE-2026-60002",
                        "cve_description": "ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2151817
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59995",
                                "url": "https://ubuntu.com/security/CVE-2026-59995",
                                "cve_description": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59996",
                                "url": "https://ubuntu.com/security/CVE-2026-59996",
                                "cve_description": "scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59997",
                                "url": "https://ubuntu.com/security/CVE-2026-59997",
                                "cve_description": "internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59998",
                                "url": "https://ubuntu.com/security/CVE-2026-59998",
                                "cve_description": "sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59999",
                                "url": "https://ubuntu.com/security/CVE-2026-59999",
                                "cve_description": "In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60000",
                                "url": "https://ubuntu.com/security/CVE-2026-60000",
                                "cve_description": "sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60001",
                                "url": "https://ubuntu.com/security/CVE-2026-60001",
                                "cve_description": "sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60002",
                                "url": "https://ubuntu.com/security/CVE-2026-60002",
                                "cve_description": "ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: sftp downloaded files location issue",
                            "    - debian/patches/CVE-2026-59995.patch: upstream: avoid download to server-",
                            "      controlled path when performing in sftp.c.",
                            "    - CVE-2026-59995",
                            "  * SECURITY UPDATE: scp parent directory issue",
                            "    - debian/patches/CVE-2026-59996.patch: upstream: resist that return \"..\" via",
                            "      remote glob during in scp.c.",
                            "    - CVE-2026-59996",
                            "  * SECURITY UPDATE: internal-sftp ignores more than 9 commandline args",
                            "    - debian/patches/CVE-2026-59997.patch: upstream: pass >9 commandline",
                            "      arguments to the internal-sftp server, in session.c.",
                            "    - CVE-2026-59997",
                            "  * SECURITY UPDATE: undocumented GSSAPIStrictAcceptorCheck behaviour",
                            "    - debian/patches/CVE-2026-59998.patch: upstream: mention a caveat regarding",
                            "      GSSAPIStrictAcceptorCheck in in sshd_config.5.",
                            "    - CVE-2026-59998",
                            "  * SECURITY UPDATE: DisableForwarding=yes not taking proper precedence",
                            "    - debian/patches/CVE-2026-59999.patch: upstream: DisableForwarding=yes",
                            "      didn't override PermitTunnel=yes in serverloop.c.",
                            "    - CVE-2026-59999",
                            "  * SECURITY UPDATE: DoS via MaxAuthTries mishandling",
                            "    - debian/patches/CVE-2026-60000-1.patch: upstream: Fix multiple RFC 4462",
                            "      (GSSAPIAuthentication) compliance in auth2-gss.c.",
                            "    - debian/patches/CVE-2026-60000-2.patch: upstream: unused variables in",
                            "      auth2-gss.c.",
                            "    - CVE-2026-60000",
                            "  * SECURITY UPDATE: minimum authentication delay not always honoured",
                            "    - debian/patches/CVE-2026-60001.patch: upstream: Fix cases in GSSAPI and",
                            "      keyboard-interactive in auth.h, auth2-chall.c, auth2-gss.c, auth2.c.",
                            "    - CVE-2026-60001",
                            "  * SECURITY UPDATE: Use-after-free during a key re-exchange",
                            "    - debian/patches/CVE-2026-60002.patch: upstream: fix ownership and lifetime",
                            "      of several bits of client in ssh.c, sshconnect.c, sshconnect.h,",
                            "      sshconnect2.c.",
                            "    - CVE-2026-60002",
                            ""
                        ],
                        "package": "openssh",
                        "version": "1:10.2p1-2ubuntu3.4",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 09 Jul 2026 14:06:35 -0400"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * d/p/lp2151817-fix-pam-short-names-{1,2}.patch:",
                            "    - Cherry-pick upstream patch to fix PAM with short names (LP: #2151817)",
                            ""
                        ],
                        "package": "openssh",
                        "version": "1:10.2p1-2ubuntu3.3",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2151817
                        ],
                        "author": "Grayson Wolf <grayson.wolf@canonical.com>",
                        "date": "Tue, 09 Jun 2026 16:33:11 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "openssh-sftp-server",
                "from_version": {
                    "source_package_name": "openssh",
                    "source_package_version": "1:10.2p1-2ubuntu3.2",
                    "version": "1:10.2p1-2ubuntu3.2"
                },
                "to_version": {
                    "source_package_name": "openssh",
                    "source_package_version": "1:10.2p1-2ubuntu3.4",
                    "version": "1:10.2p1-2ubuntu3.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59995",
                        "url": "https://ubuntu.com/security/CVE-2026-59995",
                        "cve_description": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59996",
                        "url": "https://ubuntu.com/security/CVE-2026-59996",
                        "cve_description": "scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59997",
                        "url": "https://ubuntu.com/security/CVE-2026-59997",
                        "cve_description": "internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59998",
                        "url": "https://ubuntu.com/security/CVE-2026-59998",
                        "cve_description": "sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59999",
                        "url": "https://ubuntu.com/security/CVE-2026-59999",
                        "cve_description": "In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60000",
                        "url": "https://ubuntu.com/security/CVE-2026-60000",
                        "cve_description": "sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60001",
                        "url": "https://ubuntu.com/security/CVE-2026-60001",
                        "cve_description": "sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-60002",
                        "url": "https://ubuntu.com/security/CVE-2026-60002",
                        "cve_description": "ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 01:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [
                    2151817
                ],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59995",
                                "url": "https://ubuntu.com/security/CVE-2026-59995",
                                "cve_description": "sftp in OpenSSH before 10.4 does not properly constrain the location of downloaded files when \"sftp server:/path .\" is used with an attacker-controlled server.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59996",
                                "url": "https://ubuntu.com/security/CVE-2026-59996",
                                "cve_description": "scp in OpenSSH before 10.4 may place a file in the parent directory of an intended directory when the copy occurs between two remote destinations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59997",
                                "url": "https://ubuntu.com/security/CVE-2026-59997",
                                "cve_description": "internal-sftp in sshd in OpenSSH before 10.4 recognizes only the first 9 command-line arguments, which can be important if a later command-line argument would have helped to ensure the intended security properties of an SFTP connection.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59998",
                                "url": "https://ubuntu.com/security/CVE-2026-59998",
                                "cve_description": "sshd in OpenSSH before 10.4 has an undocumented security-relevant behavior: GSSAPIStrictAcceptorCheck has no value if the server is in Windows Active Directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59999",
                                "url": "https://ubuntu.com/security/CVE-2026-59999",
                                "cve_description": "In sshd in OpenSSH before 10.4, DisableForwarding=yes was supposed to take precedence over PermitTunnel=yes, but did not.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60000",
                                "url": "https://ubuntu.com/security/CVE-2026-60000",
                                "cve_description": "sshd in OpenSSH before 10.4 allows remote attackers to cause a denial of service (resource consumption from excessive authentication attempts) because MaxAuthTries was mishandled for GSSAPIAuthentication.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60001",
                                "url": "https://ubuntu.com/security/CVE-2026-60001",
                                "cve_description": "sshd in OpenSSH before 10.4 does not always honor the minimum authentication delay.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-60002",
                                "url": "https://ubuntu.com/security/CVE-2026-60002",
                                "cve_description": "ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. (This outcome occurs only on the client side.)",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 01:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: sftp downloaded files location issue",
                            "    - debian/patches/CVE-2026-59995.patch: upstream: avoid download to server-",
                            "      controlled path when performing in sftp.c.",
                            "    - CVE-2026-59995",
                            "  * SECURITY UPDATE: scp parent directory issue",
                            "    - debian/patches/CVE-2026-59996.patch: upstream: resist that return \"..\" via",
                            "      remote glob during in scp.c.",
                            "    - CVE-2026-59996",
                            "  * SECURITY UPDATE: internal-sftp ignores more than 9 commandline args",
                            "    - debian/patches/CVE-2026-59997.patch: upstream: pass >9 commandline",
                            "      arguments to the internal-sftp server, in session.c.",
                            "    - CVE-2026-59997",
                            "  * SECURITY UPDATE: undocumented GSSAPIStrictAcceptorCheck behaviour",
                            "    - debian/patches/CVE-2026-59998.patch: upstream: mention a caveat regarding",
                            "      GSSAPIStrictAcceptorCheck in in sshd_config.5.",
                            "    - CVE-2026-59998",
                            "  * SECURITY UPDATE: DisableForwarding=yes not taking proper precedence",
                            "    - debian/patches/CVE-2026-59999.patch: upstream: DisableForwarding=yes",
                            "      didn't override PermitTunnel=yes in serverloop.c.",
                            "    - CVE-2026-59999",
                            "  * SECURITY UPDATE: DoS via MaxAuthTries mishandling",
                            "    - debian/patches/CVE-2026-60000-1.patch: upstream: Fix multiple RFC 4462",
                            "      (GSSAPIAuthentication) compliance in auth2-gss.c.",
                            "    - debian/patches/CVE-2026-60000-2.patch: upstream: unused variables in",
                            "      auth2-gss.c.",
                            "    - CVE-2026-60000",
                            "  * SECURITY UPDATE: minimum authentication delay not always honoured",
                            "    - debian/patches/CVE-2026-60001.patch: upstream: Fix cases in GSSAPI and",
                            "      keyboard-interactive in auth.h, auth2-chall.c, auth2-gss.c, auth2.c.",
                            "    - CVE-2026-60001",
                            "  * SECURITY UPDATE: Use-after-free during a key re-exchange",
                            "    - debian/patches/CVE-2026-60002.patch: upstream: fix ownership and lifetime",
                            "      of several bits of client in ssh.c, sshconnect.c, sshconnect.h,",
                            "      sshconnect2.c.",
                            "    - CVE-2026-60002",
                            ""
                        ],
                        "package": "openssh",
                        "version": "1:10.2p1-2ubuntu3.4",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 09 Jul 2026 14:06:35 -0400"
                    },
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * d/p/lp2151817-fix-pam-short-names-{1,2}.patch:",
                            "    - Cherry-pick upstream patch to fix PAM with short names (LP: #2151817)",
                            ""
                        ],
                        "package": "openssh",
                        "version": "1:10.2p1-2ubuntu3.3",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2151817
                        ],
                        "author": "Grayson Wolf <grayson.wolf@canonical.com>",
                        "date": "Tue, 09 Jun 2026 16:33:11 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3-software-properties",
                "from_version": {
                    "source_package_name": "software-properties",
                    "source_package_version": "0.120",
                    "version": "0.120"
                },
                "to_version": {
                    "source_package_name": "software-properties",
                    "source_package_version": "0.120.1",
                    "version": "0.120.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2150181,
                    2151292
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * gtk: Fix driver detection crash with Python 3.14 forkserver",
                            "    multiprocessing (LP: #2150181)",
                            "  * gtk: Fix typo in section name check causing crash on manually",
                            "    installed drivers (LP: #2151292)",
                            ""
                        ],
                        "package": "software-properties",
                        "version": "0.120.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2150181,
                            2151292
                        ],
                        "author": "Charles <charles05@canonical.com>",
                        "date": "Fri, 24 Apr 2026 11:20:18 +0100"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.14",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.14-gdbm",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.14-minimal",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "software-properties-common",
                "from_version": {
                    "source_package_name": "software-properties",
                    "source_package_version": "0.120",
                    "version": "0.120"
                },
                "to_version": {
                    "source_package_name": "software-properties",
                    "source_package_version": "0.120.1",
                    "version": "0.120.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2150181,
                    2151292
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * gtk: Fix driver detection crash with Python 3.14 forkserver",
                            "    multiprocessing (LP: #2150181)",
                            "  * gtk: Fix typo in section name check causing crash on manually",
                            "    installed drivers (LP: #2151292)",
                            ""
                        ],
                        "package": "software-properties",
                        "version": "0.120.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2150181,
                            2151292
                        ],
                        "author": "Charles <charles05@canonical.com>",
                        "date": "Fri, 24 Apr 2026 11:20:18 +0100"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tar",
                "from_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-4ubuntu0.1",
                    "version": "1.35+dfsg-4ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-4ubuntu0.2",
                    "version": "1.35+dfsg-4ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-45582",
                        "url": "https://ubuntu.com/security/CVE-2025-45582",
                        "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-07-11 17:15:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-45582",
                                "url": "https://ubuntu.com/security/CVE-2025-45582",
                                "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-07-11 17:15:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: File overwrite via directory traversal",
                            "    - debian/patches/CVE-2025-45582-*.patch: Backport openat2 support in",
                            "      order to jailify the extraction directory.",
                            "    - CVE-2025-45582",
                            ""
                        ],
                        "package": "tar",
                        "version": "1.35+dfsg-4ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 27 Jun 2026 19:09:16 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tzdata",
                "from_version": {
                    "source_package_name": "tzdata",
                    "source_package_version": "2026a-3ubuntu1",
                    "version": "2026a-3ubuntu1"
                },
                "to_version": {
                    "source_package_name": "tzdata",
                    "source_package_version": "2026b-0ubuntu0.26.04.1",
                    "version": "2026b-0ubuntu0.26.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2157973
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * New upstream release (LP: #2157973):",
                            "    - British Columbia moved to permanent -07 on 2026-03-09, so it will not",
                            "      fall back from -07 to -08 on 2026-11-01.",
                            "  * Add autopkgtest test case for 2026b release",
                            "  * Update the ICU timezone data to 2026b",
                            "  * Add autopkgtest test case for ICU timezone data 2026b",
                            ""
                        ],
                        "package": "tzdata",
                        "version": "2026b-0ubuntu0.26.04.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157973
                        ],
                        "author": "Benjamin Drung <bdrung@ubuntu.com>",
                        "date": "Tue, 23 Jun 2026 14:07:59 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-kernel-accessories",
                "from_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570",
                    "version": "1.570"
                },
                "to_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570.1",
                    "version": "1.570.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2154038,
                    2154038
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Refreshed dependencies",
                            "  * Added gst-audio-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            "  * Added gst-video-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            ""
                        ],
                        "package": "ubuntu-meta",
                        "version": "1.570.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2154038,
                            2154038
                        ],
                        "author": "Alessandro Astone <alessandro.astone@canonical.com>",
                        "date": "Fri, 12 Jun 2026 17:48:27 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-minimal",
                "from_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570",
                    "version": "1.570"
                },
                "to_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570.1",
                    "version": "1.570.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2154038,
                    2154038
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Refreshed dependencies",
                            "  * Added gst-audio-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            "  * Added gst-video-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            ""
                        ],
                        "package": "ubuntu-meta",
                        "version": "1.570.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2154038,
                            2154038
                        ],
                        "author": "Alessandro Astone <alessandro.astone@canonical.com>",
                        "date": "Fri, 12 Jun 2026 17:48:27 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-server",
                "from_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570",
                    "version": "1.570"
                },
                "to_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570.1",
                    "version": "1.570.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2154038,
                    2154038
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Refreshed dependencies",
                            "  * Added gst-audio-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            "  * Added gst-video-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            ""
                        ],
                        "package": "ubuntu-meta",
                        "version": "1.570.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2154038,
                            2154038
                        ],
                        "author": "Alessandro Astone <alessandro.astone@canonical.com>",
                        "date": "Fri, 12 Jun 2026 17:48:27 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-standard",
                "from_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570",
                    "version": "1.570"
                },
                "to_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570.1",
                    "version": "1.570.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2154038,
                    2154038
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Refreshed dependencies",
                            "  * Added gst-audio-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            "  * Added gst-video-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            ""
                        ],
                        "package": "ubuntu-meta",
                        "version": "1.570.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2154038,
                            2154038
                        ],
                        "author": "Alessandro Astone <alessandro.astone@canonical.com>",
                        "date": "Fri, 12 Jun 2026 17:48:27 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.5",
                    "version": "2:9.1.2141-1ubuntu4.5"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57453",
                        "url": "https://ubuntu.com/security/CVE-2026-57453",
                        "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57453",
                                "url": "https://ubuntu.com/security/CVE-2026-57453",
                                "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/pack/dist/opt/netrw/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Powershell code execution in zip.vim.",
                            "    - debian/patches/CVE-2026-57453.patch: Escape powershell code in",
                            "      runtime/autoload/zip.vim.",
                            "    - CVE-2026-57453",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.6",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:00:04 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-common",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.5",
                    "version": "2:9.1.2141-1ubuntu4.5"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57453",
                        "url": "https://ubuntu.com/security/CVE-2026-57453",
                        "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57453",
                                "url": "https://ubuntu.com/security/CVE-2026-57453",
                                "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/pack/dist/opt/netrw/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Powershell code execution in zip.vim.",
                            "    - debian/patches/CVE-2026-57453.patch: Escape powershell code in",
                            "      runtime/autoload/zip.vim.",
                            "    - CVE-2026-57453",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.6",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:00:04 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-runtime",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.5",
                    "version": "2:9.1.2141-1ubuntu4.5"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57453",
                        "url": "https://ubuntu.com/security/CVE-2026-57453",
                        "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57453",
                                "url": "https://ubuntu.com/security/CVE-2026-57453",
                                "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/pack/dist/opt/netrw/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Powershell code execution in zip.vim.",
                            "    - debian/patches/CVE-2026-57453.patch: Escape powershell code in",
                            "      runtime/autoload/zip.vim.",
                            "    - CVE-2026-57453",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.6",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:00:04 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-tiny",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.5",
                    "version": "2:9.1.2141-1ubuntu4.5"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57453",
                        "url": "https://ubuntu.com/security/CVE-2026-57453",
                        "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57453",
                                "url": "https://ubuntu.com/security/CVE-2026-57453",
                                "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/pack/dist/opt/netrw/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Powershell code execution in zip.vim.",
                            "    - debian/patches/CVE-2026-57453.patch: Escape powershell code in",
                            "      runtime/autoload/zip.vim.",
                            "    - CVE-2026-57453",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.6",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:00:04 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "xxd",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.5",
                    "version": "2:9.1.2141-1ubuntu4.5"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57453",
                        "url": "https://ubuntu.com/security/CVE-2026-57453",
                        "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57453",
                                "url": "https://ubuntu.com/security/CVE-2026-57453",
                                "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/pack/dist/opt/netrw/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Powershell code execution in zip.vim.",
                            "    - debian/patches/CVE-2026-57453.patch: Escape powershell code in",
                            "      runtime/autoload/zip.vim.",
                            "    - CVE-2026-57453",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.6",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:00:04 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 26.04 resolute image from release image serial 20260627 to 20260713",
    "from_series": "resolute",
    "to_series": "resolute",
    "from_serial": "20260627",
    "to_serial": "20260713",
    "from_manifest_filename": "release_manifest.previous",
    "to_manifest_filename": "manifest.current"
}