Aggregator

USN-8091-1: util-linux vulnerability

Ubuntu Security Advisories
3 hours 54 minutes ago
It was discovered that the util-linux su utility did not drop capabilities when being used with the --pty option. While not a security issue by itself, a local attacker could possibly use the su tool to exploit vulnerabilities in other applications.

python3.6-3.6.15-54.fc44

Fedora Security Advisories
4 hours 31 minutes ago
FEDORA-2026-cb86172c17 Packages in this update:
  • python3.6-3.6.15-54.fc44
Update description:

Rebuilt for improvements of %python_wheel_inject_sbom in python-rpm-macros-3.14-11.

Security fix for CVE-2025-12084

USN-8090-2: OpenSSH vulnerabilities

Ubuntu Security Advisories
5 hours 22 minutes ago
USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory details: Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-3497) David Leadbeater discovered that OpenSSH incorrectly handled certain control characters in usernames. When untrusted usernames and the ProxyCommand are being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61984) David Leadbeater discovered that OpenSSH incorrectly handled NULL characters in ssh:// URIs. When the ProxyCommand is being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61985)

USN-8090-1: OpenSSH vulnerabilities

Ubuntu Security Advisories
5 hours 38 minutes ago
Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-3497) David Leadbeater discovered that OpenSSH incorrectly handled certain control characters in usernames. When untrusted usernames and the ProxyCommand are being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61984) David Leadbeater discovered that OpenSSH incorrectly handled NULL characters in ssh:// URIs. When the ProxyCommand is being used, an attacker could possibly use this issue to execute arbitrary code. (CVE-2025-61985)

USN-8089-1: Go Networking vulnerabilities

Ubuntu Security Advisories
7 hours 26 minutes ago
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu discovered that servers using Go Networking could hang during shutdown if preempted by a fatal error. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-27664) Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted stream could cause excessive CPU usage in Go Networking's HPACK decoder. An attacker could possibly use this to cause a denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-41723) Mohammad Thoriq Aziz discovered that Go Networking did not properly sanitize some text nodes. An attacker could possibly use this to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-3978) Sean Ng discovered an error in Go Networking's HTML tag handling. An attacker could possibly use this to cause a denial of service. (CVE-2025-22872) Guido Vranken and Jakub Ciolek discovered that a maliciously crafted HTML document could exhaust system resources on servers using Go Networking. An attacker could possibly use this to cause a denial of service. (CVE-2025-47911) Guido Vranken discovered that a maliciously crafted HTML document could put servers using Go Networking into an infinite loop. An attacker could possibly use this to cause a denial of service. (CVE-2025-58190)

USN-8088-1: go-git vulnerabilities

Ubuntu Security Advisories
8 hours 1 minute ago
Ionut Lalu discovered that go-git incorrectly handled certain specially crafted Git server responses. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-49568, CVE-2025-21614) Ionut Lalu discovered that go-git incorrectly handled file system paths when using the ChrootOS implementation. A remote attacker could possibly use this issue to perform a path traversal and create or modify arbitrary files, leading to remote code execution. (CVE-2023-49569) It was discovered that go-git did not properly sanitize arguments when invoking git-upload-pack using the file transport protocol. An attacker could possibly use this issue to inject arbitrary flag values when interacting with local Git repositories. (CVE-2025-21613) It was discovered that go-git did not properly verify integrity checks for pack and index files. An attacker could possibly use this issue to cause go-git to process corrupted repository data, resulting in unexpected errors or an incorrect repository state. (CVE-2026-25934)