{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "libsodium26:s390x" ], "removed": [ "libsodium23:s390x" ], "diff": [ "bind9-dnsutils", "bind9-host", "bind9-libs:s390x", "btrfs-progs", "cron", "cron-daemon-common", "dmeventd", "dmsetup", "exfatprogs", "findutils", "libaio1t64:s390x", "libbsd0:s390x", "libdevmapper-event1.02.1:s390x", "libdevmapper1.02.1:s390x", "libexpat1:s390x", "libfido2-1:s390x", "libjemalloc2:s390x", "liblvm2cmd2.03:s390x", "libmaxminddb0:s390x", "libnetplan1:s390x", "libpng16-16t64:s390x", "libpolkit-agent-1-0:s390x", "libpolkit-gobject-1-0:s390x", "libsgutils2-1.48:s390x", "libtirpc-common", "libtirpc3t64:s390x", "lvm2", "mdadm", "netcat-openbsd", "netplan-generator", "netplan.io", "pci.ids", "polkitd", "publicsuffix", "python3-netplan", "screen", "sg3-utils", "sg3-utils-udev", "time", "tzdata", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "bind9-dnsutils", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.18-1ubuntu2", "version": "1:9.20.18-1ubuntu2" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.23-1ubuntu1", "version": "1:9.20.23-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154096, 2150582 ], "changes": [ { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2154096). Remaining changes:", " - Don't build dnstap as it depends on universe packages:", " + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and", " protobuf-c-compiler", " + d/dnsutils.install: don't install dnstap", " + d/rules: don't build dnstap nor install dnstap.proto", " - Add back apport:", " + d/bind9.apport: add back old bind9 apport hook, but without calling", " attach_conffiles() since that is already done by apport itself, with", " confirmation from the user.", " + d/control, d/rules: build-depends on dh-apport and use it", " - d/NEWS: mention relevant packaging changes", " - d/e/apparmor.d/usr.sbin.named: Allow read access to", " /proc/version_signature for named (LP #2119320)", " * Drop Changes:", " - d/bind9.maintscript: rm_conffile for incompatible named.conf", " (LP #2150582)", " [Uploaded by mistake in 1:9.20.18-1ubuntu3]", " - d/p/CVE-2026-1519-1.patch", " - d/p/CVE-2026-1519-2.patch", " - d/p/CVE-2026-1519-3.patch", " - d/p/CVE-2026-1519-4.patch", " - d/p/CVE-2026-1519-5.patch", " - d/p/CVE-2026-3104-1.patch", " - d/p/CVE-2026-3104-2.patch", " - d/p/CVE-2026-3119-1.patch", " - d/p/CVE-2026-3119-2.patch", " - d/p/CVE-2026-3591-1.patch", " - d/p/CVE-2026-3591-2.patch", " [Fixed in 9.20.21]", " - d/p/CVE-2026-3039-pre1.patch", " - d/p/CVE-2026-3039-1.patch", " - d/p/CVE-2026-3039-3.patch", " - d/p/CVE-2026-3592-1.patch", " - d/p/CVE-2026-3592-2.patch", " - d/p/CVE-2026-3592-3.patch", " - d/p/CVE-2026-3592-4.patch", " - d/p/CVE-2026-3593-1.patch", " - d/p/CVE-2026-3593-2.patch", " - d/p/CVE-2026-5946-1.patch", " - d/p/CVE-2026-5946-2.patch", " - d/p/CVE-2026-5946-3.patch", " - d/p/CVE-2026-5946-4.patch", " - d/p/CVE-2026-5946-5.patch", " - d/p/CVE-2026-5946-6.patch", " - d/p/CVE-2026-5946-7.patch", " - d/p/CVE-2026-5946-8.patch", " - d/p/CVE-2026-5946-9.patch", " - d/p/CVE-2026-5947.patch", " - d/p/CVE-2026-5950-1.patch", " - d/p/CVE-2026-5950-2.patch", " - d/p/CVE-2026-5950-3.patch", " [Fixed in 9.20.23]", "" ], "package": "bind9", "version": "1:9.20.23-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2154096 ], "author": "Lena Voytek ", "date": "Thu, 28 May 2026 14:49:56 -0400" }, { "cves": [ { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.23", " + [CVE-2026-3592]: Limit resolver server list size.", " + [CVE-2026-3039]: Fix GSS-API resource leak.", " + [CVE-2026-5946]: Disable recursion, UPDATE, and NOTIFY for non-IN", " views.", " + [CVE-2026-5950]: Avoid unbounded recursion loop.", " + [CVE-2026-5947]: Fix crash in resolver when SIG(0)-signed responses", " are received under load.", " + [CVE-2026-3593]: Fix use-after-free error in DNS-over-HTTPS when", " processing HTTP/2 SETTINGS frames.", "" ], "package": "bind9", "version": "1:9.20.23-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 20 May 2026 11:42:43 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.22", "" ], "package": "bind9", "version": "1:9.20.22-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 01 Apr 2026 16:58:56 +0200" }, { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.21", " - [CVE-2026-1519]: Fix unbounded NSEC3 iterations when validating", " referrals to unsigned delegations.", " - [CVE-2026-3104]: Fix memory leaks in code preparing DNSSEC proofs of", " non-existence.", " - [CVE-2026-3119]: Prevent a crash in code processing queries", " containing a TKEY record.", " - [CVE-2026-3591]: Fix a stack use-after-return flaw in SIG(0) handling", " code.", "" ], "package": "bind9", "version": "1:9.20.21-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 25 Mar 2026 16:38:18 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.20", "" ], "package": "bind9", "version": "1:9.20.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Fri, 27 Feb 2026 12:46:48 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.19", "" ], "package": "bind9", "version": "1:9.20.19-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 18 Feb 2026 12:28:29 +0100" }, { "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY", " negotiation", " - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the", " error path in lib/dns/gssapictx.c.", " - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY", " negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,", " lib/dns/tkey.c.", " - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context", " leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,", " lib/dns/tkey.c.", " - CVE-2026-3039", " * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue", " records", " - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses", " returned per ADB find in bin/named/main.c, lib/dns/adb.c.", " - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from", " the resolver SLIST in lib/dns/resolver.c.", " - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed", " glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,", " bin/tests/system/selfpointedglue/ns1/root.db,", " bin/tests/system/selfpointedglue/ns2/named.conf.j2,", " bin/tests/system/selfpointedglue/ns2/tld.db,", " bin/tests/system/selfpointedglue/ns3/example.tld.db,", " bin/tests/system/selfpointedglue/ns3/example2.tld.db,", " bin/tests/system/selfpointedglue/ns3/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/named.args.j2,", " bin/tests/system/selfpointedglue/ns4/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/root.hint,", " bin/tests/system/selfpointedglue/tests_selfpointedglue.py.", " - debian/patches/CVE-2026-3592-4.patch: Add SRTT-based server selection", " system test in bin/tests/system/srtt/README,", " bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,", " bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,", " bin/tests/system/srtt/ns1/named.conf.j2,", " bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,", " bin/tests/system/srtt/ns6/named.conf.j2,", " bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.", " - CVE-2026-3592", " * SECURITY UPDATE: Heap use-after-free vulnerability in BIND 9", " DNS-over-HTTPS implementation", " - debian/patches/CVE-2026-3593-1.patch: Add system test for HTTP/2", " SETTINGS frame flood in bin/tests/system/doth/tests_malicious.py.", " - debian/patches/CVE-2026-3593-2.patch: Fix use-after-free in DoH write", " buffer after HTTP/2 send in lib/isc/netmgr/http.c.", " - CVE-2026-3593", " * SECURITY UPDATE: Invalid handling of CLASS != IN", " - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN", " classes in bin/named/server.c, lib/isccfg/check.c.", " - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for", " non-IN classes in bin/named/server.c, lib/dns/adb.c,", " lib/ns/client.c, lib/ns/update.c.", " - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early", " in request processing in bin/tests/system/unknown/tests.sh,", " lib/ns/client.c.", " - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and", " NOTIFY messages in lib/dns/message.c.", " - debian/patches/CVE-2026-5946-5.patch: Skip \"deny-answer-address\" for", " non-IN addresses in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior", " in bin/tests/system/checkconf/tests.sh,", " bin/tests/system/checkconf/warn-chaos-recursion.conf,", " bin/tests/system/class/ns1/chaos.db.in,", " bin/tests/system/class/ns1/named.conf.j2,", " bin/tests/system/class/ns2/example.db.in,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/ns2/named.conf.j2,", " bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,", " bin/tests/system/class/tests_class_chaos.py,", " bin/tests/system/isctest/check.py.", " - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and", " other non-IN classes in bin/named/server.c,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/tests_class_update.py.", " - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending", " various UPDATE requests in bin/tests/system/class/tests_class_update.py,", " bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,", " bin/tests/system/packet.pl.", " - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in", " isctest.query() in bin/tests/system/isctest/query.py.", " - CVE-2026-5946", " * SECURITY UPDATE: SIG(0) validation during query flood may lead to", " undefined behavior", " - debian/patches/CVE-2026-5947.patch: Fix use-after-free in resolver SIG(0)", " async verification path in lib/dns/resolver.c.", " - CVE-2026-5947", " * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver", " - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE", " resend loop in bin/tests/system/resend_loop/ans3/ans.py,", " bin/tests/system/resend_loop/ns4/named.conf.j2,", " bin/tests/system/resend_loop/ns4/root.hint,", " bin/tests/system/resend_loop/tests_resend_loop.py.", " - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query", " counters in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query", " counters in lib/dns/resolver.c.", " - CVE-2026-5950", " * d/p/CVE-2026-1519-1.patch, d/p/CVE-2026-3104-1.patch: disable patches,", " quilt doesn't like patches that create symlinks apparently.", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 21 May 2026 08:23:48 -0400" }, { "cves": [], "log": [ "", " * d/bind9.maintscript: rm_conffile for incompatible named.conf", " (LP: #2150582)", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu3", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2150582 ], "author": "Hector Cao ", "date": "Thu, 30 Apr 2026 16:36:00 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-host", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.18-1ubuntu2", "version": "1:9.20.18-1ubuntu2" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.23-1ubuntu1", "version": "1:9.20.23-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154096, 2150582 ], "changes": [ { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2154096). Remaining changes:", " - Don't build dnstap as it depends on universe packages:", " + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and", " protobuf-c-compiler", " + d/dnsutils.install: don't install dnstap", " + d/rules: don't build dnstap nor install dnstap.proto", " - Add back apport:", " + d/bind9.apport: add back old bind9 apport hook, but without calling", " attach_conffiles() since that is already done by apport itself, with", " confirmation from the user.", " + d/control, d/rules: build-depends on dh-apport and use it", " - d/NEWS: mention relevant packaging changes", " - d/e/apparmor.d/usr.sbin.named: Allow read access to", " /proc/version_signature for named (LP #2119320)", " * Drop Changes:", " - d/bind9.maintscript: rm_conffile for incompatible named.conf", " (LP #2150582)", " [Uploaded by mistake in 1:9.20.18-1ubuntu3]", " - d/p/CVE-2026-1519-1.patch", " - d/p/CVE-2026-1519-2.patch", " - d/p/CVE-2026-1519-3.patch", " - d/p/CVE-2026-1519-4.patch", " - d/p/CVE-2026-1519-5.patch", " - d/p/CVE-2026-3104-1.patch", " - d/p/CVE-2026-3104-2.patch", " - d/p/CVE-2026-3119-1.patch", " - d/p/CVE-2026-3119-2.patch", " - d/p/CVE-2026-3591-1.patch", " - d/p/CVE-2026-3591-2.patch", " [Fixed in 9.20.21]", " - d/p/CVE-2026-3039-pre1.patch", " - d/p/CVE-2026-3039-1.patch", " - d/p/CVE-2026-3039-3.patch", " - d/p/CVE-2026-3592-1.patch", " - d/p/CVE-2026-3592-2.patch", " - d/p/CVE-2026-3592-3.patch", " - d/p/CVE-2026-3592-4.patch", " - d/p/CVE-2026-3593-1.patch", " - d/p/CVE-2026-3593-2.patch", " - d/p/CVE-2026-5946-1.patch", " - d/p/CVE-2026-5946-2.patch", " - d/p/CVE-2026-5946-3.patch", " - d/p/CVE-2026-5946-4.patch", " - d/p/CVE-2026-5946-5.patch", " - d/p/CVE-2026-5946-6.patch", " - d/p/CVE-2026-5946-7.patch", " - d/p/CVE-2026-5946-8.patch", " - d/p/CVE-2026-5946-9.patch", " - d/p/CVE-2026-5947.patch", " - d/p/CVE-2026-5950-1.patch", " - d/p/CVE-2026-5950-2.patch", " - d/p/CVE-2026-5950-3.patch", " [Fixed in 9.20.23]", "" ], "package": "bind9", "version": "1:9.20.23-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2154096 ], "author": "Lena Voytek ", "date": "Thu, 28 May 2026 14:49:56 -0400" }, { "cves": [ { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.23", " + [CVE-2026-3592]: Limit resolver server list size.", " + [CVE-2026-3039]: Fix GSS-API resource leak.", " + [CVE-2026-5946]: Disable recursion, UPDATE, and NOTIFY for non-IN", " views.", " + [CVE-2026-5950]: Avoid unbounded recursion loop.", " + [CVE-2026-5947]: Fix crash in resolver when SIG(0)-signed responses", " are received under load.", " + [CVE-2026-3593]: Fix use-after-free error in DNS-over-HTTPS when", " processing HTTP/2 SETTINGS frames.", "" ], "package": "bind9", "version": "1:9.20.23-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 20 May 2026 11:42:43 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.22", "" ], "package": "bind9", "version": "1:9.20.22-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 01 Apr 2026 16:58:56 +0200" }, { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.21", " - [CVE-2026-1519]: Fix unbounded NSEC3 iterations when validating", " referrals to unsigned delegations.", " - [CVE-2026-3104]: Fix memory leaks in code preparing DNSSEC proofs of", " non-existence.", " - [CVE-2026-3119]: Prevent a crash in code processing queries", " containing a TKEY record.", " - [CVE-2026-3591]: Fix a stack use-after-return flaw in SIG(0) handling", " code.", "" ], "package": "bind9", "version": "1:9.20.21-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 25 Mar 2026 16:38:18 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.20", "" ], "package": "bind9", "version": "1:9.20.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Fri, 27 Feb 2026 12:46:48 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.19", "" ], "package": "bind9", "version": "1:9.20.19-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 18 Feb 2026 12:28:29 +0100" }, { "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY", " negotiation", " - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the", " error path in lib/dns/gssapictx.c.", " - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY", " negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,", " lib/dns/tkey.c.", " - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context", " leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,", " lib/dns/tkey.c.", " - CVE-2026-3039", " * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue", " records", " - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses", " returned per ADB find in bin/named/main.c, lib/dns/adb.c.", " - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from", " the resolver SLIST in lib/dns/resolver.c.", " - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed", " glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,", " bin/tests/system/selfpointedglue/ns1/root.db,", " bin/tests/system/selfpointedglue/ns2/named.conf.j2,", " bin/tests/system/selfpointedglue/ns2/tld.db,", " bin/tests/system/selfpointedglue/ns3/example.tld.db,", " bin/tests/system/selfpointedglue/ns3/example2.tld.db,", " bin/tests/system/selfpointedglue/ns3/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/named.args.j2,", " bin/tests/system/selfpointedglue/ns4/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/root.hint,", " bin/tests/system/selfpointedglue/tests_selfpointedglue.py.", " - debian/patches/CVE-2026-3592-4.patch: Add SRTT-based server selection", " system test in bin/tests/system/srtt/README,", " bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,", " bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,", " bin/tests/system/srtt/ns1/named.conf.j2,", " bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,", " bin/tests/system/srtt/ns6/named.conf.j2,", " bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.", " - CVE-2026-3592", " * SECURITY UPDATE: Heap use-after-free vulnerability in BIND 9", " DNS-over-HTTPS implementation", " - debian/patches/CVE-2026-3593-1.patch: Add system test for HTTP/2", " SETTINGS frame flood in bin/tests/system/doth/tests_malicious.py.", " - debian/patches/CVE-2026-3593-2.patch: Fix use-after-free in DoH write", " buffer after HTTP/2 send in lib/isc/netmgr/http.c.", " - CVE-2026-3593", " * SECURITY UPDATE: Invalid handling of CLASS != IN", " - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN", " classes in bin/named/server.c, lib/isccfg/check.c.", " - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for", " non-IN classes in bin/named/server.c, lib/dns/adb.c,", " lib/ns/client.c, lib/ns/update.c.", " - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early", " in request processing in bin/tests/system/unknown/tests.sh,", " lib/ns/client.c.", " - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and", " NOTIFY messages in lib/dns/message.c.", " - debian/patches/CVE-2026-5946-5.patch: Skip \"deny-answer-address\" for", " non-IN addresses in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior", " in bin/tests/system/checkconf/tests.sh,", " bin/tests/system/checkconf/warn-chaos-recursion.conf,", " bin/tests/system/class/ns1/chaos.db.in,", " bin/tests/system/class/ns1/named.conf.j2,", " bin/tests/system/class/ns2/example.db.in,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/ns2/named.conf.j2,", " bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,", " bin/tests/system/class/tests_class_chaos.py,", " bin/tests/system/isctest/check.py.", " - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and", " other non-IN classes in bin/named/server.c,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/tests_class_update.py.", " - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending", " various UPDATE requests in bin/tests/system/class/tests_class_update.py,", " bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,", " bin/tests/system/packet.pl.", " - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in", " isctest.query() in bin/tests/system/isctest/query.py.", " - CVE-2026-5946", " * SECURITY UPDATE: SIG(0) validation during query flood may lead to", " undefined behavior", " - debian/patches/CVE-2026-5947.patch: Fix use-after-free in resolver SIG(0)", " async verification path in lib/dns/resolver.c.", " - CVE-2026-5947", " * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver", " - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE", " resend loop in bin/tests/system/resend_loop/ans3/ans.py,", " bin/tests/system/resend_loop/ns4/named.conf.j2,", " bin/tests/system/resend_loop/ns4/root.hint,", " bin/tests/system/resend_loop/tests_resend_loop.py.", " - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query", " counters in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query", " counters in lib/dns/resolver.c.", " - CVE-2026-5950", " * d/p/CVE-2026-1519-1.patch, d/p/CVE-2026-3104-1.patch: disable patches,", " quilt doesn't like patches that create symlinks apparently.", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 21 May 2026 08:23:48 -0400" }, { "cves": [], "log": [ "", " * d/bind9.maintscript: rm_conffile for incompatible named.conf", " (LP: #2150582)", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu3", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2150582 ], "author": "Hector Cao ", "date": "Thu, 30 Apr 2026 16:36:00 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-libs:s390x", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.18-1ubuntu2", "version": "1:9.20.18-1ubuntu2" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.23-1ubuntu1", "version": "1:9.20.23-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2154096, 2150582 ], "changes": [ { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2154096). Remaining changes:", " - Don't build dnstap as it depends on universe packages:", " + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and", " protobuf-c-compiler", " + d/dnsutils.install: don't install dnstap", " + d/rules: don't build dnstap nor install dnstap.proto", " - Add back apport:", " + d/bind9.apport: add back old bind9 apport hook, but without calling", " attach_conffiles() since that is already done by apport itself, with", " confirmation from the user.", " + d/control, d/rules: build-depends on dh-apport and use it", " - d/NEWS: mention relevant packaging changes", " - d/e/apparmor.d/usr.sbin.named: Allow read access to", " /proc/version_signature for named (LP #2119320)", " * Drop Changes:", " - d/bind9.maintscript: rm_conffile for incompatible named.conf", " (LP #2150582)", " [Uploaded by mistake in 1:9.20.18-1ubuntu3]", " - d/p/CVE-2026-1519-1.patch", " - d/p/CVE-2026-1519-2.patch", " - d/p/CVE-2026-1519-3.patch", " - d/p/CVE-2026-1519-4.patch", " - d/p/CVE-2026-1519-5.patch", " - d/p/CVE-2026-3104-1.patch", " - d/p/CVE-2026-3104-2.patch", " - d/p/CVE-2026-3119-1.patch", " - d/p/CVE-2026-3119-2.patch", " - d/p/CVE-2026-3591-1.patch", " - d/p/CVE-2026-3591-2.patch", " [Fixed in 9.20.21]", " - d/p/CVE-2026-3039-pre1.patch", " - d/p/CVE-2026-3039-1.patch", " - d/p/CVE-2026-3039-3.patch", " - d/p/CVE-2026-3592-1.patch", " - d/p/CVE-2026-3592-2.patch", " - d/p/CVE-2026-3592-3.patch", " - d/p/CVE-2026-3592-4.patch", " - d/p/CVE-2026-3593-1.patch", " - d/p/CVE-2026-3593-2.patch", " - d/p/CVE-2026-5946-1.patch", " - d/p/CVE-2026-5946-2.patch", " - d/p/CVE-2026-5946-3.patch", " - d/p/CVE-2026-5946-4.patch", " - d/p/CVE-2026-5946-5.patch", " - d/p/CVE-2026-5946-6.patch", " - d/p/CVE-2026-5946-7.patch", " - d/p/CVE-2026-5946-8.patch", " - d/p/CVE-2026-5946-9.patch", " - d/p/CVE-2026-5947.patch", " - d/p/CVE-2026-5950-1.patch", " - d/p/CVE-2026-5950-2.patch", " - d/p/CVE-2026-5950-3.patch", " [Fixed in 9.20.23]", "" ], "package": "bind9", "version": "1:9.20.23-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2154096 ], "author": "Lena Voytek ", "date": "Thu, 28 May 2026 14:49:56 -0400" }, { "cves": [ { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.23", " + [CVE-2026-3592]: Limit resolver server list size.", " + [CVE-2026-3039]: Fix GSS-API resource leak.", " + [CVE-2026-5946]: Disable recursion, UPDATE, and NOTIFY for non-IN", " views.", " + [CVE-2026-5950]: Avoid unbounded recursion loop.", " + [CVE-2026-5947]: Fix crash in resolver when SIG(0)-signed responses", " are received under load.", " + [CVE-2026-3593]: Fix use-after-free error in DNS-over-HTTPS when", " processing HTTP/2 SETTINGS frames.", "" ], "package": "bind9", "version": "1:9.20.23-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 20 May 2026 11:42:43 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.22", "" ], "package": "bind9", "version": "1:9.20.22-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 01 Apr 2026 16:58:56 +0200" }, { "cves": [ { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3119", "url": "https://ubuntu.com/security/CVE-2026-3119", "cve_description": "Under certain conditions, `named` may crash when processing a correctly signed query containing a TKEY record. The affected code can only be reached if an incoming request has a valid transaction signature (TSIG) from a key declared in the `named` configuration. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3591", "url": "https://ubuntu.com/security/CVE-2026-3591", "cve_description": "A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP addresses), this may lead to unauthorized access. Default-deny ACLs should fail-secure. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.21", " - [CVE-2026-1519]: Fix unbounded NSEC3 iterations when validating", " referrals to unsigned delegations.", " - [CVE-2026-3104]: Fix memory leaks in code preparing DNSSEC proofs of", " non-existence.", " - [CVE-2026-3119]: Prevent a crash in code processing queries", " containing a TKEY record.", " - [CVE-2026-3591]: Fix a stack use-after-return flaw in SIG(0) handling", " code.", "" ], "package": "bind9", "version": "1:9.20.21-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 25 Mar 2026 16:38:18 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.20", "" ], "package": "bind9", "version": "1:9.20.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Fri, 27 Feb 2026 12:46:48 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.19", "" ], "package": "bind9", "version": "1:9.20.19-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 18 Feb 2026 12:28:29 +0100" }, { "cves": [ { "cve": "CVE-2026-3039", "url": "https://ubuntu.com/security/CVE-2026-3039", "cve_description": "BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3592", "url": "https://ubuntu.com/security/CVE-2026-3592", "cve_description": "BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-3593", "url": "https://ubuntu.com/security/CVE-2026-3593", "cve_description": "A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5946", "url": "https://ubuntu.com/security/CVE-2026-5946", "cve_description": "Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5947", "url": "https://ubuntu.com/security/CVE-2026-5947", "cve_description": "Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the \"recursive-clients\" limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-5950", "url": "https://ubuntu.com/security/CVE-2026-5950", "cve_description": "An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.", "cve_priority": "medium", "cve_public_date": "2026-05-20 13:16:00 UTC" }, { "cve": "CVE-2026-1519", "url": "https://ubuntu.com/security/CVE-2026-1519", "cve_description": "If a BIND resolver is performing DNSSEC validation and encounters a maliciously crafted zone, the resolver may consume excessive CPU. Authoritative-only servers are generally unaffected, although there are circumstances where authoritative servers may make recursive queries (see: https://kb.isc.org/docs/why-does-my-authoritative-server-make-recursive-queries). This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.46, 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.46-S1, and 9.20.9-S1 through 9.20.20-S1.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" }, { "cve": "CVE-2026-3104", "url": "https://ubuntu.com/security/CVE-2026-3104", "cve_description": "A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain. This issue affects BIND 9 versions 9.20.0 through 9.20.20, 9.21.0 through 9.21.19, and 9.20.9-S1 through 9.20.20-S1. BIND 9 versions 9.18.0 through 9.18.46 and 9.18.11-S1 through 9.18.46-S1 are NOT affected.", "cve_priority": "medium", "cve_public_date": "2026-03-25 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: BIND 9 server memory exhaustion during GSS-API TKEY", " negotiation", " - debian/patches/CVE-2026-3039-pre1.patch: Release gnamebuf also on the", " error path in lib/dns/gssapictx.c.", " - debian/patches/CVE-2026-3039-1.patch: Fix GSS-API context leak in TKEY", " negotiation in lib/dns/gssapictx.c, lib/dns/include/dst/gssapi.h,", " lib/dns/tkey.c.", " - debian/patches/CVE-2026-3039-3.patch: Fix output token and GSS context", " leaks in TKEY/GSS-API error paths in lib/dns/gssapictx.c,", " lib/dns/tkey.c.", " - CVE-2026-3039", " * SECURITY UPDATE: Amplification vulnerabilities via self-pointed glue", " records", " - debian/patches/CVE-2026-3592-1.patch: Limit the number of addresses", " returned per ADB find in bin/named/main.c, lib/dns/adb.c.", " - debian/patches/CVE-2026-3592-2.patch: Remove duplicate addresses from", " the resolver SLIST in lib/dns/resolver.c.", " - debian/patches/CVE-2026-3592-3.patch: Add system test for self-pointed", " glue deduplication in bin/tests/system/selfpointedglue/ns1/named.conf.j2,", " bin/tests/system/selfpointedglue/ns1/root.db,", " bin/tests/system/selfpointedglue/ns2/named.conf.j2,", " bin/tests/system/selfpointedglue/ns2/tld.db,", " bin/tests/system/selfpointedglue/ns3/example.tld.db,", " bin/tests/system/selfpointedglue/ns3/example2.tld.db,", " bin/tests/system/selfpointedglue/ns3/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/named.args.j2,", " bin/tests/system/selfpointedglue/ns4/named.conf.j2,", " bin/tests/system/selfpointedglue/ns4/root.hint,", " bin/tests/system/selfpointedglue/tests_selfpointedglue.py.", " - debian/patches/CVE-2026-3592-4.patch: Add SRTT-based server selection", " system test in bin/tests/system/srtt/README,", " bin/tests/system/srtt/ans2/ans.py, bin/tests/system/srtt/ans3/ans.py,", " bin/tests/system/srtt/ans4/ans.py, bin/tests/system/srtt/ans5/ans.py,", " bin/tests/system/srtt/ns1/named.conf.j2,", " bin/tests/system/srtt/ns1/root.db, bin/tests/system/srtt/ns6/named.args,", " bin/tests/system/srtt/ns6/named.conf.j2,", " bin/tests/system/srtt/srtt_ans.py, bin/tests/system/srtt/tests_srtt.py.", " - CVE-2026-3592", " * SECURITY UPDATE: Heap use-after-free vulnerability in BIND 9", " DNS-over-HTTPS implementation", " - debian/patches/CVE-2026-3593-1.patch: Add system test for HTTP/2", " SETTINGS frame flood in bin/tests/system/doth/tests_malicious.py.", " - debian/patches/CVE-2026-3593-2.patch: Fix use-after-free in DoH write", " buffer after HTTP/2 send in lib/isc/netmgr/http.c.", " - CVE-2026-3593", " * SECURITY UPDATE: Invalid handling of CLASS != IN", " - debian/patches/CVE-2026-5946-1.patch: Disable recursion for non-IN", " classes in bin/named/server.c, lib/isccfg/check.c.", " - debian/patches/CVE-2026-5946-2.patch: Disable UPDATE and NOTIFY for", " non-IN classes in bin/named/server.c, lib/dns/adb.c,", " lib/ns/client.c, lib/ns/update.c.", " - debian/patches/CVE-2026-5946-3.patch: Validate DNS message CLASS early", " in request processing in bin/tests/system/unknown/tests.sh,", " lib/ns/client.c.", " - debian/patches/CVE-2026-5946-4.patch: Reject meta-classes in UPDATE and", " NOTIFY messages in lib/dns/message.c.", " - debian/patches/CVE-2026-5946-5.patch: Skip \"deny-answer-address\" for", " non-IN addresses in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5946-6.patch: Test CHAOS view recursion behavior", " in bin/tests/system/checkconf/tests.sh,", " bin/tests/system/checkconf/warn-chaos-recursion.conf,", " bin/tests/system/class/ns1/chaos.db.in,", " bin/tests/system/class/ns1/named.conf.j2,", " bin/tests/system/class/ns2/example.db.in,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/ns2/named.conf.j2,", " bin/tests/system/class/ns3/named.conf.j2, bin/tests/system/class/setup.sh,", " bin/tests/system/class/tests_class_chaos.py,", " bin/tests/system/isctest/check.py.", " - debian/patches/CVE-2026-5946-7.patch: Test UPDATE behavior in CHAOS and", " other non-IN classes in bin/named/server.c,", " bin/tests/system/class/ns2/localhost.db.in,", " bin/tests/system/class/tests_class_update.py.", " - debian/patches/CVE-2026-5946-8.patch: Test server behavior when sending", " various UPDATE requests in bin/tests/system/class/tests_class_update.py,", " bin/tests/system/nsupdate/setup.sh, bin/tests/system/nsupdate/tests.sh,", " bin/tests/system/packet.pl.", " - debian/patches/CVE-2026-5946-9.patch: Make the RD flag optional in", " isctest.query() in bin/tests/system/isctest/query.py.", " - CVE-2026-5946", " * SECURITY UPDATE: SIG(0) validation during query flood may lead to", " undefined behavior", " - debian/patches/CVE-2026-5947.patch: Fix use-after-free in resolver SIG(0)", " async verification path in lib/dns/resolver.c.", " - CVE-2026-5947", " * SECURITY UPDATE: Unbounded resend loop in BIND 9 resolver", " - debian/patches/CVE-2026-5950-1.patch: Add reproducer for BADCOOKIE", " resend loop in bin/tests/system/resend_loop/ans3/ans.py,", " bin/tests/system/resend_loop/ns4/named.conf.j2,", " bin/tests/system/resend_loop/ns4/root.hint,", " bin/tests/system/resend_loop/tests_resend_loop.py.", " - debian/patches/CVE-2026-5950-2.patch: Refactor incrementing query", " counters in lib/dns/resolver.c.", " - debian/patches/CVE-2026-5950-3.patch: rctx_resend() increment query", " counters in lib/dns/resolver.c.", " - CVE-2026-5950", " * d/p/CVE-2026-1519-1.patch, d/p/CVE-2026-3104-1.patch: disable patches,", " quilt doesn't like patches that create symlinks apparently.", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 21 May 2026 08:23:48 -0400" }, { "cves": [], "log": [ "", " * d/bind9.maintscript: rm_conffile for incompatible named.conf", " (LP: #2150582)", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu3", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2150582 ], "author": "Hector Cao ", "date": "Thu, 30 Apr 2026 16:36:00 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "btrfs-progs", "from_version": { "source_package_name": "btrfs-progs", "source_package_version": "6.17.1-1build1", "version": "6.17.1-1build1" }, "to_version": { "source_package_name": "btrfs-progs", "source_package_version": "7.0-1", "version": "7.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Define debian-branch in gbp.conf.", " * Drop \"Rules-Requires-Root: no\".", " * Declare Standards-Version 4.7.4 (no further changes required).", " * Add backup.sh to /usr/share/doc/btrfs-progs/examples; this program", " demonstrates how to snapshot btrfs subvolumes and back them up somewhere", " else using rsync.", " * New upstream release.", " * Add libbtrfsutil/python/version.py to cleaned files to resolve broken", " build-twice condition (Closes: #1044007).", "" ], "package": "btrfs-progs", "version": "7.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nicholas D Steeves ", "date": "Sun, 10 May 2026 17:20:41 -0400" }, { "cves": [], "log": [ "", " * Declare Standards-Version 4.7.3:", " * The udeb previously contained files installed to /bin; however, this", " was resolved in version 6.17.1-1.", " * Drop \"Priority: optional\", which is now default.", " * New upstream release.", " * Update libbtrfsutil symbols.", "" ], "package": "btrfs-progs", "version": "6.19.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nicholas D Steeves ", "date": "Sun, 29 Mar 2026 15:41:43 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "cron", "from_version": { "source_package_name": "cron", "source_package_version": "3.0pl1-200ubuntu1", "version": "3.0pl1-200ubuntu1" }, "to_version": { "source_package_name": "cron", "source_package_version": "3.0pl1-209ubuntu1", "version": "3.0pl1-209ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153294 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153294). Remaining changes:", " - d/control: Move MTA to Suggests field", " - d/cron.default: change to a deprecated message", " This file is no longer in use.", " - d/p/f/inherit-path.patch: add -P flag to inherit PATH from environment", " - Inherit PATH by default", " Change cron.service and cron.init to pass -P to cron by default.", " Changed crontab.main to stop setting PATH explicitly.", "" ], "package": "cron", "version": "3.0pl1-209ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153294 ], "author": "Carter Hawthorne ", "date": "Wed, 27 May 2026 10:24:45 -0700" }, { "cves": [], "log": [ "", " [ Alexandre Detiste ]", " * redo cron-daemon-common.postrm with dh-cruft, register volatile crontabs", " [ Georges Khaznadar]", " * merged Alexandre's changes, thanks! Closes: #1135047", "" ], "package": "cron", "version": "3.0pl1-209", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Mon, 27 Apr 2026 09:56:39 +0200" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Use dh-sequence-installsysusers instead of manual d/rules call", " * Remove duplicated addgroup", " * Rename c-d-c.tmpfile to c-d-c.tmpfiles to avoid debhelper warning", "", " [ Georges Khaznadar ]", " * released to unstable", "" ], "package": "cron", "version": "3.0pl1-208", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Sun, 19 Apr 2026 16:57:55 +0200" }, { "cves": [], "log": [ "", " * added information about the maximum permitted length of the command", " field, in man pages for crontab(1) and crontab(5), in the", " LIMITATIONS section. Closes: #1132379", " * changed the build dependency libselinux1-dev => libselinux-dev", "" ], "package": "cron", "version": "3.0pl1-207", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Tue, 31 Mar 2026 17:08:04 +0200" }, { "cves": [], "log": [ "", " * new tests, and a few tests improved, thanks to Luca Vercelli's", " work, thanks!", "" ], "package": "cron", "version": "3.0pl1-206", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Wed, 07 Jan 2026 14:31:10 +0100" }, { "cves": [], "log": [ "", " * Use the command `date` and SOURCE_DATE_EPOCH to inject the date with", " a universal format into manpages, thanks to Vincent Lefevre's hint.", " Closes: #1122750", "" ], "package": "cron", "version": "3.0pl1-205", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Mon, 15 Dec 2025 00:54:30 +0100" }, { "cves": [], "log": [ "", " * modified the test d/tests/day-month-out-of-bounds which fails on some", " architectures", "" ], "package": "cron", "version": "3.0pl1-204", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Sun, 14 Dec 2025 22:22:15 +0100" }, { "cves": [], "log": [ "", " * reverted the change (about LANG=C.UTF-8) bug 1122750 is closed, because", " the MDY format for dates is OK", " * added non-breaking spaces into the first line of tables, in the", " docbookxml source file crontab.5.xml, in order to reshape properly", " columns and avoid line breaks. Unfortunately, elements are", " poorly interpreted by xsltproc and the stylesheet for manpages.", " Closes: #1122802", "" ], "package": "cron", "version": "3.0pl1-203", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Sat, 13 Dec 2025 16:17:53 +0100" }, { "cves": [], "log": [ "", " * added LANG=C.UTF-8 to make manpages, so their dates will be in", " English locale. Closes: #1122750", "" ], "package": "cron", "version": "3.0pl1-202", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Fri, 12 Dec 2025 15:57:11 +0100" }, { "cves": [], "log": [ "", " * updated the man page crontab(5), and created a few tests to ensure that", " assertions made in the manual page are true, about day of month and", " year ranges, and about list of names regarding months ans days of", " week. Closes: #1104759", " * added a build-dependency on docbook-xml", "" ], "package": "cron", "version": "3.0pl1-201", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Thu, 11 Dec 2025 15:25:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "cron-daemon-common", "from_version": { "source_package_name": "cron", "source_package_version": "3.0pl1-200ubuntu1", "version": "3.0pl1-200ubuntu1" }, "to_version": { "source_package_name": "cron", "source_package_version": "3.0pl1-209ubuntu1", "version": "3.0pl1-209ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153294 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153294). Remaining changes:", " - d/control: Move MTA to Suggests field", " - d/cron.default: change to a deprecated message", " This file is no longer in use.", " - d/p/f/inherit-path.patch: add -P flag to inherit PATH from environment", " - Inherit PATH by default", " Change cron.service and cron.init to pass -P to cron by default.", " Changed crontab.main to stop setting PATH explicitly.", "" ], "package": "cron", "version": "3.0pl1-209ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153294 ], "author": "Carter Hawthorne ", "date": "Wed, 27 May 2026 10:24:45 -0700" }, { "cves": [], "log": [ "", " [ Alexandre Detiste ]", " * redo cron-daemon-common.postrm with dh-cruft, register volatile crontabs", " [ Georges Khaznadar]", " * merged Alexandre's changes, thanks! Closes: #1135047", "" ], "package": "cron", "version": "3.0pl1-209", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Mon, 27 Apr 2026 09:56:39 +0200" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Use dh-sequence-installsysusers instead of manual d/rules call", " * Remove duplicated addgroup", " * Rename c-d-c.tmpfile to c-d-c.tmpfiles to avoid debhelper warning", "", " [ Georges Khaznadar ]", " * released to unstable", "" ], "package": "cron", "version": "3.0pl1-208", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Sun, 19 Apr 2026 16:57:55 +0200" }, { "cves": [], "log": [ "", " * added information about the maximum permitted length of the command", " field, in man pages for crontab(1) and crontab(5), in the", " LIMITATIONS section. Closes: #1132379", " * changed the build dependency libselinux1-dev => libselinux-dev", "" ], "package": "cron", "version": "3.0pl1-207", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Tue, 31 Mar 2026 17:08:04 +0200" }, { "cves": [], "log": [ "", " * new tests, and a few tests improved, thanks to Luca Vercelli's", " work, thanks!", "" ], "package": "cron", "version": "3.0pl1-206", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Wed, 07 Jan 2026 14:31:10 +0100" }, { "cves": [], "log": [ "", " * Use the command `date` and SOURCE_DATE_EPOCH to inject the date with", " a universal format into manpages, thanks to Vincent Lefevre's hint.", " Closes: #1122750", "" ], "package": "cron", "version": "3.0pl1-205", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Mon, 15 Dec 2025 00:54:30 +0100" }, { "cves": [], "log": [ "", " * modified the test d/tests/day-month-out-of-bounds which fails on some", " architectures", "" ], "package": "cron", "version": "3.0pl1-204", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Sun, 14 Dec 2025 22:22:15 +0100" }, { "cves": [], "log": [ "", " * reverted the change (about LANG=C.UTF-8) bug 1122750 is closed, because", " the MDY format for dates is OK", " * added non-breaking spaces into the first line of tables, in the", " docbookxml source file crontab.5.xml, in order to reshape properly", " columns and avoid line breaks. Unfortunately, elements are", " poorly interpreted by xsltproc and the stylesheet for manpages.", " Closes: #1122802", "" ], "package": "cron", "version": "3.0pl1-203", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Sat, 13 Dec 2025 16:17:53 +0100" }, { "cves": [], "log": [ "", " * added LANG=C.UTF-8 to make manpages, so their dates will be in", " English locale. Closes: #1122750", "" ], "package": "cron", "version": "3.0pl1-202", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Fri, 12 Dec 2025 15:57:11 +0100" }, { "cves": [], "log": [ "", " * updated the man page crontab(5), and created a few tests to ensure that", " assertions made in the manual page are true, about day of month and", " year ranges, and about list of names regarding months ans days of", " week. Closes: #1104759", " * added a build-dependency on docbook-xml", "" ], "package": "cron", "version": "3.0pl1-201", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Georges Khaznadar ", "date": "Thu, 11 Dec 2025 15:25:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dmeventd", "from_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu3", "version": "2:1.02.205-2ubuntu3" }, "to_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu4", "version": "2:1.02.205-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: Drop explicit dependency on dbus.", " Allow alternative implementations like dbus-broker. (Closes: #1122629)", "" ], "package": "lvm2", "version": "2.03.31-2ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Mon, 25 May 2026 14:28:22 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "dmsetup", "from_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu3", "version": "2:1.02.205-2ubuntu3" }, "to_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu4", "version": "2:1.02.205-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: Drop explicit dependency on dbus.", " Allow alternative implementations like dbus-broker. (Closes: #1122629)", "" ], "package": "lvm2", "version": "2.03.31-2ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Mon, 25 May 2026 14:28:22 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "exfatprogs", "from_version": { "source_package_name": "exfatprogs", "source_package_version": "1.4.1-1", "version": "1.4.1-1" }, "to_version": { "source_package_name": "exfatprogs", "source_package_version": "1.4.2-1", "version": "1.4.2-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", " Move lsdosattr and chdosattr from /usr/sbin to /usr/bin.", "" ], "package": "exfatprogs", "version": "1.4.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sven Hoexter ", "date": "Mon, 15 Jun 2026 12:36:15 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "findutils", "from_version": { "source_package_name": "findutils", "source_package_version": "4.10.0-3build2", "version": "4.10.0-3build2" }, "to_version": { "source_package_name": "findutils", "source_package_version": "4.10.0-4", "version": "4.10.0-4" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "findutils", "version": "4.10.0-3build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:37:48 +0100" }, { "cves": [], "log": [ "", " * Rebuild to include updated RISC-V base ISA RVA23", "" ], "package": "findutils", "version": "4.10.0-3build1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Heinrich Schuchardt ", "date": "Wed, 03 Sep 2025 17:50:28 +0000" } ], "notes": null, "is_version_downgrade": true }, { "name": "libaio1t64:s390x", "from_version": { "source_package_name": "libaio", "source_package_version": "0.3.113-8build1", "version": "0.3.113-8build1" }, "to_version": { "source_package_name": "libaio", "source_package_version": "0.3.113-9", "version": "0.3.113-9" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove «Rules-Requires-Root: no», which is the current default.", " * Remove «Priority: optional», which is the current default.", " * Remove versioned Build-Depends on dpkg-dev, satisfied since Debian trixie.", " * Remove lintian overrides that no longer get emitted.", " * Add spaces around make assignment operators to distinguish from shell ones.", " * Finish multi-line commands in debian/rules with a comment marker.", " * Switch to debian/watch version 5.", " * Switch to Standards-Version 4.7.3 (no changes needed).", "" ], "package": "libaio", "version": "0.3.113-9", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sun, 22 Mar 2026 04:45:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libbsd0:s390x", "from_version": { "source_package_name": "libbsd", "source_package_version": "0.12.2-2build2", "version": "0.12.2-2build2" }, "to_version": { "source_package_name": "libbsd", "source_package_version": "0.12.2-3", "version": "0.12.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove «Rules-Requires-Root: no», which is the current default.", " * Remove «Priority: optional», which is the current default.", " * Switch to debian/watch version 5.", " * Switch to Standards-Version 4.7.4 (no changes needed).", " * Add spaces around make assignment operators to distinguish from shell ones.", " * Refactor common description into a source stanza Description field.", " * Remove build dependency on debhelper (>= 13.10) implied by", " debhelper-compat (= 13) since Debian bookworm.", " * Remove lintian overrides that no longer get emitted.", " * Clarify in package synopsis that the udeb shared library is a udeb.", "" ], "package": "libbsd", "version": "0.12.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Wed, 03 Jun 2026 09:43:18 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdevmapper-event1.02.1:s390x", "from_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu3", "version": "2:1.02.205-2ubuntu3" }, "to_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu4", "version": "2:1.02.205-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: Drop explicit dependency on dbus.", " Allow alternative implementations like dbus-broker. (Closes: #1122629)", "" ], "package": "lvm2", "version": "2.03.31-2ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Mon, 25 May 2026 14:28:22 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdevmapper1.02.1:s390x", "from_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu3", "version": "2:1.02.205-2ubuntu3" }, "to_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu4", "version": "2:1.02.205-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: Drop explicit dependency on dbus.", " Allow alternative implementations like dbus-broker. (Closes: #1122629)", "" ], "package": "lvm2", "version": "2.03.31-2ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Mon, 25 May 2026 14:28:22 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libexpat1:s390x", "from_version": { "source_package_name": "expat", "source_package_version": "2.7.4-1", "version": "2.7.4-1" }, "to_version": { "source_package_name": "expat", "source_package_version": "2.8.1-1", "version": "2.8.1-1" }, "cves": [ { "cve": "CVE-2026-45186", "url": "https://ubuntu.com/security/CVE-2026-45186", "cve_description": "In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.", "cve_priority": "medium", "cve_public_date": "2026-05-10 07:16:00 UTC" }, { "cve": "CVE-2026-41080", "url": "https://ubuntu.com/security/CVE-2026-41080", "cve_description": "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "cve_priority": "medium", "cve_public_date": "2026-04-16 17:16:00 UTC" }, { "cve": "CVE-2026-32776", "url": "https://ubuntu.com/security/CVE-2026-32776", "cve_description": "libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.", "cve_priority": "medium", "cve_public_date": "2026-03-16 14:19:00 UTC" }, { "cve": "CVE-2026-32777", "url": "https://ubuntu.com/security/CVE-2026-32777", "cve_description": "libexpat before 2.7.5 allows an infinite loop while parsing DTD content.", "cve_priority": "medium", "cve_public_date": "2026-03-16 14:19:00 UTC" }, { "cve": "CVE-2026-32778", "url": "https://ubuntu.com/security/CVE-2026-32778", "cve_description": "libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.", "cve_priority": "medium", "cve_public_date": "2026-03-16 14:19:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "expat", "version": "2.8.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 23 May 2026 09:01:54 +0200" }, { "cves": [ { "cve": "CVE-2026-45186", "url": "https://ubuntu.com/security/CVE-2026-45186", "cve_description": "In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.", "cve_priority": "medium", "cve_public_date": "2026-05-10 07:16:00 UTC" } ], "log": [ "", " * Backport upstream fixes for self-testing:", " - drop casts around malloc that C99 does not need,", " - drop casts around XML_GetUserData that C99 does not need.", " * Backport upstream fixes for CVE-2026-45186: attribute name collision", " checks allowed denial of service attacks through moderately sized", " crafted XML input (closes: #1136164).", "" ], "package": "expat", "version": "2.8.0-2", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sun, 10 May 2026 16:51:27 +0200" }, { "cves": [ { "cve": "CVE-2026-41080", "url": "https://ubuntu.com/security/CVE-2026-41080", "cve_description": "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "cve_priority": "medium", "cve_public_date": "2026-04-16 17:16:00 UTC" } ], "log": [ "", " * New upstream release:", " - fixes CVE-2026-41080: improve protection against hash flooding", " (closes: #1134732).", " * Update libexpat1 symbols.", "" ], "package": "expat", "version": "2.8.0-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 25 Apr 2026 07:19:30 +0200" }, { "cves": [ { "cve": "CVE-2026-32776", "url": "https://ubuntu.com/security/CVE-2026-32776", "cve_description": "libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.", "cve_priority": "medium", "cve_public_date": "2026-03-16 14:19:00 UTC" }, { "cve": "CVE-2026-32777", "url": "https://ubuntu.com/security/CVE-2026-32777", "cve_description": "libexpat before 2.7.5 allows an infinite loop while parsing DTD content.", "cve_priority": "medium", "cve_public_date": "2026-03-16 14:19:00 UTC" }, { "cve": "CVE-2026-32778", "url": "https://ubuntu.com/security/CVE-2026-32778", "cve_description": "libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.", "cve_priority": "medium", "cve_public_date": "2026-03-16 14:19:00 UTC" } ], "log": [ "", " * New upstream release:", " - fixes CVE-2026-32776: NULL function pointer dereference for empty", " external parameter entities (closes: #1131117),", " - fixes CVE-2026-32777: protect from XML_TOK_INSTANCE_START infinite", " loop in entityValueProcessor() (closes: #1131118),", " - fixes CVE-2026-32778: NULL dereference in setContext() on retry after", " an earlier ouf-of-memory condition (closes: #1131119).", "" ], "package": "expat", "version": "2.7.5-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Tue, 17 Mar 2026 22:23:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfido2-1:s390x", "from_version": { "source_package_name": "libfido2", "source_package_version": "1.16.0-2build1", "version": "1.16.0-2build1" }, "to_version": { "source_package_name": "libfido2", "source_package_version": "1.17.0-1", "version": "1.17.0-1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "libfido2", "version": "1.16.0-2build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:35:02 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "libjemalloc2:s390x", "from_version": { "source_package_name": "jemalloc", "source_package_version": "5.3.0-4", "version": "5.3.0-4" }, "to_version": { "source_package_name": "jemalloc", "source_package_version": "5.3.1-2", "version": "5.3.1-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Revert to a manually crafted debian/watch, in order to fetch", " upstream-authored tarball rather than git snapshots.", " * Add a VERSION file manually, missing due to the tarball issue above, to", " address an FTBFS in certain users of jemalloc. (Closes: #1134684)", " * Add a guard against building with an invalid (0.0.0) JEMALLOC_VERSION, as", " another layer of defense to prevent the recurrence of such issues in the", " future.", "" ], "package": "jemalloc", "version": "5.3.1-2", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Faidon Liambotis ", "date": "Tue, 05 May 2026 09:58:18 +0300" }, { "cves": [], "log": [ "", " * New upstream release.", " - Update symbols file to reflect the addition of new functions, including", " pvalloc(3).", " - Drop patch Disable-builtin-malloc-in-tests, was an upstream backport.", " - Drop patch hurd.patch, does not apply anymore.", " * Add patch dont-call-libstdcxx-internals (upstream PR #2860) to address a", " FTBFS with GCC 16. (Closes: #1133508)", " * Remove symbols that were present only to easy backports to system with a", " much older glibc (<< 2.34).", " * Refresh the package description to add more information, and to leverage", " dpkg 1.19's ${source:Synopsis}/${source:Extended-Description} to make it", " more DRY.", " * Drop Rules-Requires-Root: no, the default now.", " * Bump Standards-Version to 4.7.4, no changes needed.", "" ], "package": "jemalloc", "version": "5.3.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Faidon Liambotis ", "date": "Tue, 14 Apr 2026 14:06:23 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblvm2cmd2.03:s390x", "from_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu3", "version": "2.03.31-2ubuntu3" }, "to_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu4", "version": "2.03.31-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: Drop explicit dependency on dbus.", " Allow alternative implementations like dbus-broker. (Closes: #1122629)", "" ], "package": "lvm2", "version": "2.03.31-2ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Mon, 25 May 2026 14:28:22 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmaxminddb0:s390x", "from_version": { "source_package_name": "libmaxminddb", "source_package_version": "1.12.2-1build2", "version": "1.12.2-1build2" }, "to_version": { "source_package_name": "libmaxminddb", "source_package_version": "1.13.3-1", "version": "1.13.3-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release. (Closes: #1131799)", " * Bump Standards-Version to 4.7.3:", " - Remove Priority: optional, the default now.", " - Remove Rules-Requires-Root: no, the default now.", " * Update debian/watch to version 5 and the GitHub template.", "" ], "package": "libmaxminddb", "version": "1.13.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Faidon Liambotis ", "date": "Sat, 28 Mar 2026 14:24:52 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1:s390x", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2.1-1ubuntu1", "version": "1.2.1-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153219, 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153219). Remaining changes:", " - Skip test_link_offloading to allow for a green baseline (LP 2126938)", " + d/p/lp-2126938-skip-test-link-offloading.patch", " * Dropped:", " - d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP 2138802)", " [Included in Debian 1.2.1-1]", " - debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP 2139598)", " [Included in Debian 1.2.1-1]", " - d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP 2071747)", " [Included in Debian 1.2.1-1]", " - d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP 2145061)", " [Included in Debian 1.2.1-1]", " - d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP 2147446).", " [Included in Debian 1.2.1-1]", " - d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", " [Included in Debian 1.2.1-1]", "" ], "package": "netplan.io", "version": "1.2.1-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153219 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 21 May 2026 16:24:14 -0300" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * New upstream release: 1.2.1", " - Fix generate.py to properly handle --root-dir (LP: #2137640)", " - Use io.StringIO() instead of tempfile.TemporaryFile()", " * Avoid race condition in SR-IOV setup (LP: #2139598)", " - d/p/0002-generate-sriov-execute-udev-rules-before-starting-sr.patch", " * d/gbp.conf: Update to debian/latest (DEP-14)", " * d/p/0002-*: Drop root-dir patch (applied in 1.2.1)", "", " [ Andreas Hasenack ]", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with", " python 3.14 by handling BlockingIOError in addition to TypeError", " (LP: #2138802)", "", " [ Guilherme Puida Moreira ]", " * d/p/lp2071747-unresolvable-network-cycle.patch.", " Order service after systemd-sysusers.service to fix network cycle", " (LP: #2071747)", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch (LP: #2145061)", " * d/p/tests-only-consider-netplan-generated-files.patch", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch", " (LP: #2147446)", "" ], "package": "netplan.io", "version": "1.2.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "author": "Lukas Märdian ", "date": "Wed, 13 May 2026 21:43:12 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64:s390x", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.57-1", "version": "1.6.57-1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.58-1", "version": "1.6.58-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version 1.6.58", " - Fix regression in 1.6.57", "" ], "package": "libpng1.6", "version": "1.6.58-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Fri, 17 Apr 2026 14:34:10 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpolkit-agent-1-0:s390x", "from_version": { "source_package_name": "policykit-1", "source_package_version": "127-2ubuntu1", "version": "127-2ubuntu1" }, "to_version": { "source_package_name": "policykit-1", "source_package_version": "127-3", "version": "127-3" }, "cves": [ { "cve": "CVE-2026-4897", "url": "https://ubuntu.com/security/CVE-2026-4897", "cve_description": "A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.", "cve_priority": "medium", "cve_public_date": "2026-03-26 15:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4897", "url": "https://ubuntu.com/security/CVE-2026-4897", "cve_description": "A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.", "cve_priority": "medium", "cve_public_date": "2026-03-26 15:16:00 UTC" } ], "log": [ "", " * Team upload.", "", " [ Simon McVittie ]", " * Re-word previous changelog entry, fixing an incorrect wrong bug number", "", " [ Luca Boccassi ]", " * Add build dependency on docbook-xml", "", " [ Andreas Henriksson ]", " * CVE-2026-4897: getline string overflow (Closes: #1132234)", " * Switch build-dependency to libselinux-dev", "" ], "package": "policykit-1", "version": "127-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Henriksson ", "date": "Mon, 27 Apr 2026 16:30:49 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpolkit-gobject-1-0:s390x", "from_version": { "source_package_name": "policykit-1", "source_package_version": "127-2ubuntu1", "version": "127-2ubuntu1" }, "to_version": { "source_package_name": "policykit-1", "source_package_version": "127-3", "version": "127-3" }, "cves": [ { "cve": "CVE-2026-4897", "url": "https://ubuntu.com/security/CVE-2026-4897", "cve_description": "A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.", "cve_priority": "medium", "cve_public_date": "2026-03-26 15:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4897", "url": "https://ubuntu.com/security/CVE-2026-4897", "cve_description": "A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.", "cve_priority": "medium", "cve_public_date": "2026-03-26 15:16:00 UTC" } ], "log": [ "", " * Team upload.", "", " [ Simon McVittie ]", " * Re-word previous changelog entry, fixing an incorrect wrong bug number", "", " [ Luca Boccassi ]", " * Add build dependency on docbook-xml", "", " [ Andreas Henriksson ]", " * CVE-2026-4897: getline string overflow (Closes: #1132234)", " * Switch build-dependency to libselinux-dev", "" ], "package": "policykit-1", "version": "127-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Henriksson ", "date": "Mon, 27 Apr 2026 16:30:49 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsgutils2-1.48:s390x", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu4", "version": "1.48-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2152092 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2152092-sg_wr_mode-fix-contents-and-cfile=-handling: fix", " command-line argument handling for --contents and --cfile in sg_wr_mode", " (LP: #2152092)", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2152092 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 21 May 2026 14:38:58 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtirpc-common", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.7-0.1", "version": "1.3.7-0.1" }, "to_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.7+ds-1", "version": "1.3.7+ds-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Fix missing symbols generation (Closes: #1132199):", " + Add patch reverting upstream conditional symbol versioning.", "" ], "package": "libtirpc", "version": "1.3.7+ds-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Josue Ortega ", "date": "Tue, 31 Mar 2026 11:05:51 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtirpc3t64:s390x", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.7-0.1", "version": "1.3.7-0.1" }, "to_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.7+ds-1", "version": "1.3.7+ds-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Fix missing symbols generation (Closes: #1132199):", " + Add patch reverting upstream conditional symbol versioning.", "" ], "package": "libtirpc", "version": "1.3.7+ds-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Josue Ortega ", "date": "Tue, 31 Mar 2026 11:05:51 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "lvm2", "from_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu3", "version": "2.03.31-2ubuntu3" }, "to_version": { "source_package_name": "lvm2", "source_package_version": "2.03.31-2ubuntu4", "version": "2.03.31-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: Drop explicit dependency on dbus.", " Allow alternative implementations like dbus-broker. (Closes: #1122629)", "" ], "package": "lvm2", "version": "2.03.31-2ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Mon, 25 May 2026 14:28:22 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "mdadm", "from_version": { "source_package_name": "mdadm", "source_package_version": "4.5-5ubuntu1", "version": "4.5-5ubuntu1" }, "to_version": { "source_package_name": "mdadm", "source_package_version": "4.6-2ubuntu1", "version": "4.6-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144935 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - d/{control,mdadm.install,/finalrd/mdadm.finalrd}: ship a finalrd hook", " - d/t/control: add allow-stderr restriction", " - d/t/test-installed: disable failing on error and skip tests", " Use same test settings as the upstream github tests to prevent", " failing after error and disable problematic or extra long tests", " - d/p/u/disable-tests-failing-on-ubuntu.patch: disable some tests", " that fail either intermittently or consistently on Ubuntu (LP: #2144935)", "" ], "package": "mdadm", "version": "4.6-2ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2144935 ], "author": "Simon Quigley ", "date": "Tue, 05 May 2026 17:24:16 -0500" }, { "cves": [], "log": [ "", " * Updating to standards version 4.7.4.", " * Removing manuall installation of mdcheck which is now done by the", " build system itself and would otherwise overwrite the correctly", " processed file (Closes: #1124837, #1128971, #1132470).", "" ], "package": "mdadm", "version": "4.6-2", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Wed, 01 Apr 2026 16:43:18 +0200" }, { "cves": [], "log": [ "", " * Merging upstream version 4.6.", " * Removing 241.patch, included upstream.", " * Removing load-md_mod-first.patch, included upstream.", " * Refreshing fix-manpages.patch.", " * Refreshing host-name-in-default-mailfrom.patch.", " * Refreshing exit-gracefully-when-md-device-not-found.patch.", " * Refreshing no-Werror.patch.", " * Refreshing test-installed.patch.", " * Refreshing systemd-directory.patch.", " * Refreshing bin-directory.patch.", " * Renumbering patches.", "" ], "package": "mdadm", "version": "4.6-1", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Sun, 22 Mar 2026 12:10:18 +0100" }, { "cves": [], "log": [ "", " * Harmonizing watch file.", " * Correcting systemd detection, thanks to Luca Boccassi", " (Closes: #1130558).", "" ], "package": "mdadm", "version": "4.5-6", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Mon, 16 Mar 2026 06:32:59 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netcat-openbsd", "from_version": { "source_package_name": "netcat-openbsd", "source_package_version": "1.234-1", "version": "1.234-1" }, "to_version": { "source_package_name": "netcat-openbsd", "source_package_version": "1.238-1", "version": "1.238-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release (from OpenBSD 7.9).", " * Refresh d/patches.", " * Update Standards-Version to 4.7.4 (no changes necessary).", "" ], "package": "netcat-openbsd", "version": "1.238-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guilhem Moulin ", "date": "Tue, 19 May 2026 16:00:51 +0200" }, { "cves": [], "log": [ "", " [ Nicolas Le Cam ]", " * Add ability to override Makefile LIBS variable.", "", " [ Guilhem Moulin ]", " * Refresh d/patches to fix FTBFS.", " * d/README.source: Set $NETCAT_VERSION to the highest version number among", " all source files.", " * d/p/set-TCP-MD5SIG-correctly-for-client-connections.patch: Fix buffer", " overread in set_common_sockopts().", " * d/copyright: Update Source URL. (Closes: #1129576)", " * d/control: Remove `Rules-Requires-Root: no`.", " * Update Standards-Version to 4.7.3 (no changes necessary).", "" ], "package": "netcat-openbsd", "version": "1.234-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guilhem Moulin ", "date": "Tue, 03 Mar 2026 11:50:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2.1-1ubuntu1", "version": "1.2.1-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153219, 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153219). Remaining changes:", " - Skip test_link_offloading to allow for a green baseline (LP 2126938)", " + d/p/lp-2126938-skip-test-link-offloading.patch", " * Dropped:", " - d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP 2138802)", " [Included in Debian 1.2.1-1]", " - debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP 2139598)", " [Included in Debian 1.2.1-1]", " - d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP 2071747)", " [Included in Debian 1.2.1-1]", " - d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP 2145061)", " [Included in Debian 1.2.1-1]", " - d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP 2147446).", " [Included in Debian 1.2.1-1]", " - d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", " [Included in Debian 1.2.1-1]", "" ], "package": "netplan.io", "version": "1.2.1-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153219 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 21 May 2026 16:24:14 -0300" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * New upstream release: 1.2.1", " - Fix generate.py to properly handle --root-dir (LP: #2137640)", " - Use io.StringIO() instead of tempfile.TemporaryFile()", " * Avoid race condition in SR-IOV setup (LP: #2139598)", " - d/p/0002-generate-sriov-execute-udev-rules-before-starting-sr.patch", " * d/gbp.conf: Update to debian/latest (DEP-14)", " * d/p/0002-*: Drop root-dir patch (applied in 1.2.1)", "", " [ Andreas Hasenack ]", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with", " python 3.14 by handling BlockingIOError in addition to TypeError", " (LP: #2138802)", "", " [ Guilherme Puida Moreira ]", " * d/p/lp2071747-unresolvable-network-cycle.patch.", " Order service after systemd-sysusers.service to fix network cycle", " (LP: #2071747)", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch (LP: #2145061)", " * d/p/tests-only-consider-netplan-generated-files.patch", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch", " (LP: #2147446)", "" ], "package": "netplan.io", "version": "1.2.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "author": "Lukas Märdian ", "date": "Wed, 13 May 2026 21:43:12 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2.1-1ubuntu1", "version": "1.2.1-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153219, 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153219). Remaining changes:", " - Skip test_link_offloading to allow for a green baseline (LP 2126938)", " + d/p/lp-2126938-skip-test-link-offloading.patch", " * Dropped:", " - d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP 2138802)", " [Included in Debian 1.2.1-1]", " - debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP 2139598)", " [Included in Debian 1.2.1-1]", " - d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP 2071747)", " [Included in Debian 1.2.1-1]", " - d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP 2145061)", " [Included in Debian 1.2.1-1]", " - d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP 2147446).", " [Included in Debian 1.2.1-1]", " - d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", " [Included in Debian 1.2.1-1]", "" ], "package": "netplan.io", "version": "1.2.1-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153219 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 21 May 2026 16:24:14 -0300" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * New upstream release: 1.2.1", " - Fix generate.py to properly handle --root-dir (LP: #2137640)", " - Use io.StringIO() instead of tempfile.TemporaryFile()", " * Avoid race condition in SR-IOV setup (LP: #2139598)", " - d/p/0002-generate-sriov-execute-udev-rules-before-starting-sr.patch", " * d/gbp.conf: Update to debian/latest (DEP-14)", " * d/p/0002-*: Drop root-dir patch (applied in 1.2.1)", "", " [ Andreas Hasenack ]", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with", " python 3.14 by handling BlockingIOError in addition to TypeError", " (LP: #2138802)", "", " [ Guilherme Puida Moreira ]", " * d/p/lp2071747-unresolvable-network-cycle.patch.", " Order service after systemd-sysusers.service to fix network cycle", " (LP: #2071747)", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch (LP: #2145061)", " * d/p/tests-only-consider-netplan-generated-files.patch", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch", " (LP: #2147446)", "" ], "package": "netplan.io", "version": "1.2.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "author": "Lukas Märdian ", "date": "Wed, 13 May 2026 21:43:12 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "pci.ids", "from_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2026.02.12-1", "version": "0.0~2026.02.12-1" }, "to_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2026.05.30-1", "version": "0.0~2026.05.30-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.05.30-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sat, 30 May 2026 14:36:05 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.05.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sat, 16 May 2026 13:55:28 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.05.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Tue, 12 May 2026 05:52:29 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.04.24-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sun, 26 Apr 2026 18:56:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.04.09-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sat, 11 Apr 2026 12:44:38 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Switch to Standards-Version 4.7.4 (no changes needed).", "" ], "package": "pci.ids", "version": "0.0~2026.04.01-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Wed, 01 Apr 2026 13:49:00 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.03.28-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sat, 28 Mar 2026 17:50:17 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.03.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Mon, 16 Mar 2026 09:57:39 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.03.08-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sun, 08 Mar 2026 03:45:15 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", " * Remove lintian overrides that no longer get emitted.", "" ], "package": "pci.ids", "version": "0.0~2026.02.21-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sat, 21 Feb 2026 03:32:02 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "polkitd", "from_version": { "source_package_name": "policykit-1", "source_package_version": "127-2ubuntu1", "version": "127-2ubuntu1" }, "to_version": { "source_package_name": "policykit-1", "source_package_version": "127-3", "version": "127-3" }, "cves": [ { "cve": "CVE-2026-4897", "url": "https://ubuntu.com/security/CVE-2026-4897", "cve_description": "A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.", "cve_priority": "medium", "cve_public_date": "2026-03-26 15:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4897", "url": "https://ubuntu.com/security/CVE-2026-4897", "cve_description": "A flaw was found in polkit. A local user can exploit this by providing a specially crafted, excessively long input to the `polkit-agent-helper-1` setuid binary via standard input (stdin). This unbounded input can lead to an out-of-memory (OOM) condition, resulting in a Denial of Service (DoS) for the system.", "cve_priority": "medium", "cve_public_date": "2026-03-26 15:16:00 UTC" } ], "log": [ "", " * Team upload.", "", " [ Simon McVittie ]", " * Re-word previous changelog entry, fixing an incorrect wrong bug number", "", " [ Luca Boccassi ]", " * Add build dependency on docbook-xml", "", " [ Andreas Henriksson ]", " * CVE-2026-4897: getline string overflow (Closes: #1132234)", " * Switch build-dependency to libselinux-dev", "" ], "package": "policykit-1", "version": "127-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Henriksson ", "date": "Mon, 27 Apr 2026 16:30:49 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "publicsuffix", "from_version": { "source_package_name": "publicsuffix", "source_package_version": "20260129.1928-1", "version": "20260129.1928-1" }, "to_version": { "source_package_name": "publicsuffix", "source_package_version": "20260428.1050-1", "version": "20260428.1050-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * new upstream version", " * d/control: raise Standards-Version to 4.7.4", "" ], "package": "publicsuffix", "version": "20260428.1050-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Florian Ernst ", "date": "Tue, 28 Apr 2026 16:13:13 +0200" }, { "cves": [], "log": [ "", " * new upstream version", "" ], "package": "publicsuffix", "version": "20260309.0823-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Florian Ernst ", "date": "Sat, 14 Mar 2026 16:35:55 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2.1-1ubuntu1", "version": "1.2.1-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153219, 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153219). Remaining changes:", " - Skip test_link_offloading to allow for a green baseline (LP 2126938)", " + d/p/lp-2126938-skip-test-link-offloading.patch", " * Dropped:", " - d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP 2138802)", " [Included in Debian 1.2.1-1]", " - debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP 2139598)", " [Included in Debian 1.2.1-1]", " - d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP 2071747)", " [Included in Debian 1.2.1-1]", " - d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP 2145061)", " [Included in Debian 1.2.1-1]", " - d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP 2147446).", " [Included in Debian 1.2.1-1]", " - d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", " [Included in Debian 1.2.1-1]", "" ], "package": "netplan.io", "version": "1.2.1-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153219 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 21 May 2026 16:24:14 -0300" }, { "cves": [], "log": [ "", " [ Lukas Märdian ]", " * New upstream release: 1.2.1", " - Fix generate.py to properly handle --root-dir (LP: #2137640)", " - Use io.StringIO() instead of tempfile.TemporaryFile()", " * Avoid race condition in SR-IOV setup (LP: #2139598)", " - d/p/0002-generate-sriov-execute-udev-rules-before-starting-sr.patch", " * d/gbp.conf: Update to debian/latest (DEP-14)", " * d/p/0002-*: Drop root-dir patch (applied in 1.2.1)", "", " [ Andreas Hasenack ]", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with", " python 3.14 by handling BlockingIOError in addition to TypeError", " (LP: #2138802)", "", " [ Guilherme Puida Moreira ]", " * d/p/lp2071747-unresolvable-network-cycle.patch.", " Order service after systemd-sysusers.service to fix network cycle", " (LP: #2071747)", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch (LP: #2145061)", " * d/p/tests-only-consider-netplan-generated-files.patch", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch", " (LP: #2147446)", "" ], "package": "netplan.io", "version": "1.2.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2137640, 2139598, 2138802, 2071747, 2145061, 2147446 ], "author": "Lukas Märdian ", "date": "Wed, 13 May 2026 21:43:12 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "screen", "from_version": { "source_package_name": "screen", "source_package_version": "4.9.1-3ubuntu2", "version": "4.9.1-3ubuntu2" }, "to_version": { "source_package_name": "screen", "source_package_version": "5.0.1-2", "version": "5.0.1-2" }, "cves": [ { "cve": "CVE-2025-4680", "url": "https://ubuntu.com/security/CVE-2025-4680", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Peter Dey ]", " * Fix regression of #51088 - socket dir should be in /run/screen", " * Set Priority to optional to match archive override (Closes: #1134768)", " * Keep -Q @windows output off the attached display (Closes: #702659)", " * Restore the value of defflow after (re-)attachment (Closes: #859313)", " * Fix input handling on big-endian systems (Closes: #1135587)", " * Documentation fixes to keep lintian happy", "", " [ Otto Kekäläinen ]", " * Bump Debian Policy version to 4.7.4", " * Update d/copyright to include recent contributors", " * Add myself and Peter Dey as uploader, and remove inactive old uploader", "" ], "package": "screen", "version": "5.0.1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Otto Kekäläinen ", "date": "Sat, 16 May 2026 00:00:00 +0000" }, { "cves": [], "log": [ "", " * Non-maintainer upload.", " * Add an explicit --disable-pam for the udeb build (the counterpart of", " --enable-pam for the normal build) to avoid picking up a dependency on", " PAM, which would make screen-udeb non-installable (Closes: #1134429).", "" ], "package": "screen", "version": "5.0.1-1.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Cyril Brulebois ", "date": "Tue, 21 Apr 2026 22:53:59 +0200" }, { "cves": [ { "cve": "CVE-2025-4680", "url": "https://ubuntu.com/security/CVE-2025-4680", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" } ], "log": [ "", " * New upstream release 5.0.0.", " + Adds truecolor support (\"truecolor [on|off]\").", " + Adds multi-window input (multiinput).", " + Makes the status bar movable (status [top|up|down|bottom] [left|right]).", " + Introduces password protection (auth [on|off]).", " * New upstream release 5.0.1.", " + Rolls in CVE-2025-4680[2-5] and refreshes the release key block.", " * Drop temporary CVE patches and 63-add-utempter-switch/65-wcwidth since", " now in upstream.", " * Configure with --disable-utmp instead of using 03disable-utmp patch;", " preserving the behaviour requested in #1104514", " * Drop the deflogin/login keybindings from /etc/screenrc since", " --disable-utmp removes those commands and the warnings upset autopkgtests.", " * Add 83_escape-opensuse-texinfo.patch so texinfo 7 can build the manual.", " * Add 90-include-pty-header-when-openpty.patch to make the glibc build", " succeed with -Werror=implicit-function-declaration", " * Keep out-of-tree builds working by adding $(srcdir) to CPPFLAGS in Makefile", " (91-use-srcdir-in-cppflags.patch)", " * Add 92-preserve-utf8-combining.patch to preserve UTF-8 combining", " sequences on UTF-8 displays (also autopkgtest passes)", " * Add 93-mousetrack-texinfo-fix.patch to enable builds on Ubuntu focal", " (syntax error on older Texinfo versions)", " * \"screen -Q windows\" now needs a format string - update autopkgtests", " * Add 84-rendition-bell-hardstatus-width.patch to keep %w/%Lw rendition", " values at uint64_t width so style/colour bits are preserved", " * Refresh upstream metadata URLs for the screen-v5 branch.", " * Update debian/NEWS for the 5.0.1 command changes.", "" ], "package": "screen", "version": "5.0.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Peter Dey ", "date": "Mon, 30 Mar 2026 10:00:00 +0200" }, { "cves": [], "log": [ "", " * Non-maintainer upload.", " * Build with -std=gnu17 to workaround FTBFS with GCC 15.", " (Closes: #1097862)", " * Build-Depends: libcrypt-dev. (Closes: #1106961)", "" ], "package": "screen", "version": "4.9.1-3.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Adrian Bunk ", "date": "Mon, 05 Jan 2026 23:09:23 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "sg3-utils", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu4", "version": "1.48-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2152092 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2152092-sg_wr_mode-fix-contents-and-cfile=-handling: fix", " command-line argument handling for --contents and --cfile in sg_wr_mode", " (LP: #2152092)", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2152092 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 21 May 2026 14:38:58 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "sg3-utils-udev", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu4", "version": "1.48-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2152092 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2152092-sg_wr_mode-fix-contents-and-cfile=-handling: fix", " command-line argument handling for --contents and --cfile in sg_wr_mode", " (LP: #2152092)", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2152092 ], "author": "Guilherme Puida Moreira ", "date": "Thu, 21 May 2026 14:38:58 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "time", "from_version": { "source_package_name": "time", "source_package_version": "1.9-0.4", "version": "1.9-0.4" }, "to_version": { "source_package_name": "time", "source_package_version": "1.10-0.1", "version": "1.10-0.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Non-maintainer upload", " * New upstream version 1.10 (Closes: #1134001)", " * Remove obsolete debian/time.{info,html}", " * Drop time-include-time_h.patch (fixed upstream)", " * Add d/u/signing-key and make d/watch use it", " * Add d/u/metadata", " * Drop ftbfs_with_GCC-15.patch (fixed upstream)", " * Standards-Version: 4.7.4", " * Enable hardening (hardening-no-bindnow)", " * Silence lintian copyright-refers-to-symlink-license", " * Silence lintian insecure-copyright-format-uri", " * Silence lintian trailing-whitespace for d/changelog", " * Refresh option-p-texi.patch to forwarded variant", " * Doc fix recursiveness (Closes: #813329)", " * Add patch to fix license-problem-gfdl-non-official-text", " * Drop 0001-doc-time.texi.patch (fixed upstream)", "" ], "package": "time", "version": "1.10-0.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon Josefsson ", "date": "Fri, 17 Apr 2026 11:30:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "tzdata", "from_version": { "source_package_name": "tzdata", "source_package_version": "2026a-3ubuntu1", "version": "2026a-3ubuntu1" }, "to_version": { "source_package_name": "tzdata", "source_package_version": "2026b-1ubuntu1", "version": "2026b-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153365 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153365). Remaining changes:", " - Ship 2026a ICU timezone data which are utilized by PHP in tzdata-icu", " - Add autopkgtest test case for ICU timezone data", " - Point Vcs-Browser/Git to Launchpad", " - Declare breaking rust-coreutils before version 0.5.0", "" ], "package": "tzdata", "version": "2026b-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153365 ], "author": "Nadzeya Hutsko ", "date": "Mon, 25 May 2026 22:09:08 +0200" }, { "cves": [], "log": [ "", " * New upstream version 2026b:", " - British Columbia moved to permanent -07 on 2026-03-09, so it will not", " fall back from -07 to -08 on 2026-11-01.", " * Add autopkgtest test case for 2026b release", "" ], "package": "tzdata", "version": "2026b-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Thu, 23 Apr 2026 23:18:35 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.2.0461-1ubuntu1", "version": "2:9.2.0461-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142681, 2142221, 2142681 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - debian/patches/add-stonking.patch:", " add stonking to the list of known Ubuntu releases.", " - debian/patches/flaky-visual-block-test.patch:", " skip flaky visual block test.", " - debian/patches/flaky-statusline-test.patch:", " skip flaky statusline test.", " * Drop changes:", " - debian/patches/flaky-screendump-test.patch: upstream", "" ], "package": "vim", "version": "2:9.2.0461-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142681 ], "author": "Gianfranco Costamagna ", "date": "Thu, 14 May 2026 15:24:42 +0200" }, { "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0435: backticks in 'path' may cause shell execution on completion", " (Closes: #1136086, CVE-2026-44656)", " - 9.2.0450: heap buffer overflow in spellfile SN_COMPOUND handling", " (Closes: #1136097, CVE-2026-45130)", " + syntax/autopkgtest.vim: Fix typos in breaks-testbed, build-needed, and", " hint-testsuite-triggers. Mark skip-not-installable as deprecated.", "" ], "package": "vim", "version": "2:9.2.0461-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 09 May 2026 19:41:43 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " * Dropped changes:", " - SECURITY UPDATE: Buffer Overflow", " + debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " + debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL - 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " + debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " + CVE-2026-26269", " + CVE-2026-28420", " + CVE-2026-28422", " - SECURITY UPDATE: Command Injection", " + debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " + debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " + CVE-2026-28417", " - SECURITY UPDATE: Out of Bounds Read", " + debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " + CVE-2026-28418", " - SECURITY UPDATE: Buffer Underflow", " + debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " + CVE-2026-28419", " - SECURITY UPDATE: Denial of Service", " + debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " + CVE-2026-28421", " - SECURITY UPDATE: NULL pointer dereference in the NFA regex engine.", " + debian/patches/CVE-2026-32249.patch: Add range_endpoint and if checks", " in src/regexp_nfa.c. Add tests in src/testdir/test_regexp_utf8.vim.", " + CVE-2026-32249", " - SECURITY UPDATE: Command injection in glob.", " + debian/patches/CVE-2026-33412.patch: Add newline to SHELL_SPECIAL in", " src/os_unix.c.", " + CVE-2026-33412", " - SECURITY UPDATE: Command injection in tabpanel.", " + debian/patches/CVE-2026-34714.patch: Add check_restricted check_secure", " if check in src/autocmd.c. Add P_MLE in src/optiondefs.h. Add tests in", " src/testdir/test_autocmd.vim and src/testdir/test_tabpanel.vim.", " + CVE-2026-34714", " - SECURITY UPDATE: Command injection in modeline.", " + debian/patches/CVE-2026-34982.patch: Add check_secure in src/map.c. Add", " P_MLE in src/optiondefs.h. Add tests in src/testdir/test_modeline.vim.", " + debian/patches/CVE-2026-34982-post1.patch: Remove failing test and add", " more s:modeline_fails in src/testdir/test_modeline.vim.", " + CVE-2026-34982", " * Add add-stonking.patch to add stonking to the list of known Ubuntu releases.", " * Add flaky-screendump-test.patch to fix flaky screendump test.", " * Add flaky-visual-block-test.patch to skip flaky visual block test.", " * Add flaky-statusline-test.patch to skip flaky statusline test.", "" ], "package": "vim", "version": "2:9.2.0428-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Simon Quigley ", "date": "Tue, 05 May 2026 10:23:56 -0500" }, { "cves": [ { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0357: command injection via backticks in tag files (Closes:", " #1134906, CVE-2026-41411)", " * Remove xdg-shell.xml and primary-selection-unstable-v1.xml entries from", " d/copyright", "" ], "package": "vim", "version": "2:9.2.0428-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 02 May 2026 10:39:07 -0400" }, { "cves": [], "log": [ "", " * New upstream tag", " + 9.2.0350: New 'modelinestrict' option, enabled by default, to limit", " which options can be set in modelines.", " * Remove documentation patch about Debian disabling modeline option", " * Remove \"set nomodeline\" from debian.vim", "" ], "package": "vim", "version": "2:9.2.0355-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Thu, 16 Apr 2026 09:10:49 -0400" }, { "cves": [ { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0316: command injection in netbeans interface via defineAnnoType,", " CVE-2026-39881", " * Change libselinux1-dev Build-Depends to libselinux-dev", " * Change libgpmg1-dev Build-Depends to libgpm-dev", "" ], "package": "vim", "version": "2:9.2.0338-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 11 Apr 2026 20:45:13 -0400" }, { "cves": [ { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0272: modeline security bypass for 'tabpanel' option, allowing", " expressions to be run from a modeline. (Closes: #1132447,", " CVE-2026-34714)", " - 9.2.0276: modeline security bypass for 'complete', 'guitabtooltip',", " and 'printheader' options, allowing expressions to be run from a", " modeline. (Closes: #1132450, CVE-2026-34982)", " - 9.2.0280: Fix path traversal issue in zip plugin, CVE-2026-35177", " * Remove revert of v9.1.0949, since that is now causing Vim tests to fail.", " This reopens #1091729.", " * Declare compliance with Policy 4.7.4", "" ], "package": "vim", "version": "2:9.2.0315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Tue, 07 Apr 2026 06:44:19 -0400" }, { "cves": [ { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + 9.2.0168: Fix invalid pointer casting in string_convert(), causing test", " failures on big-endian systems", " + runtime/syntax/python.vim: Fix E363 error when highlighting large", " integers (Closes: #1127816)", " + Security fixes", " - 9.2.0137: crash when composing character as end of range in a regexp", " collection (Closes: #1130658, CVE-2026-32249)", " - 9.2.0202: command injection via newline in glob(), CVE-2026-33412", "" ], "package": "vim", "version": "2:9.2.0218-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 21 Mar 2026 07:38:26 -0400" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.2.0136", " + 9.2.0132: Skip Test_recover_corrupted_swap_file1 on big-endian systems", "" ], "package": "vim", "version": "2:9.2.0136-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Wed, 11 Mar 2026 11:11:47 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * New upstream release", " + See \":help vim-9.2\" for new features", " + Security fixes", " - 9.1.2148: buffer overflow in netbeans special_keys() handling (Closes:", " #1127930, CVE-2026-26269)", " * Merge upstream tag v9.2.0119", " + Security fixes", " - 9.2.0073: possible command injection using netrw (Closes: #1129427,", " CVE-2026-28417)", " - 9.2.0074: crash with overlong emacs tag file (Closes: #1129428,", " CVE-2026-28418)", " - 9.2.0075: buffer underflow with emacs tag file (Closes: #1129429,", " CVE-2026-28419)", " - 9.2.0076: buffer-overflow with combining characters in terminal", " handling (Closes: #1129430, CVE-2026-28420)", " - 9.2.0077: crash when recovering a corrupted swap file (Closes:", " #1129431, CVE-2026-28421)", " - 9.2.0078: stack buffer overflow when rendering a statusline with a", " multi-byte fill character on a very wide terminal (Closes: #1129432,", " CVE-2026-28422)", "" ], "package": "vim", "version": "2:9.2.0119-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Mar 2026 06:50:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.2.0461-1ubuntu1", "version": "2:9.2.0461-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142681, 2142221, 2142681 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - debian/patches/add-stonking.patch:", " add stonking to the list of known Ubuntu releases.", " - debian/patches/flaky-visual-block-test.patch:", " skip flaky visual block test.", " - debian/patches/flaky-statusline-test.patch:", " skip flaky statusline test.", " * Drop changes:", " - debian/patches/flaky-screendump-test.patch: upstream", "" ], "package": "vim", "version": "2:9.2.0461-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142681 ], "author": "Gianfranco Costamagna ", "date": "Thu, 14 May 2026 15:24:42 +0200" }, { "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0435: backticks in 'path' may cause shell execution on completion", " (Closes: #1136086, CVE-2026-44656)", " - 9.2.0450: heap buffer overflow in spellfile SN_COMPOUND handling", " (Closes: #1136097, CVE-2026-45130)", " + syntax/autopkgtest.vim: Fix typos in breaks-testbed, build-needed, and", " hint-testsuite-triggers. Mark skip-not-installable as deprecated.", "" ], "package": "vim", "version": "2:9.2.0461-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 09 May 2026 19:41:43 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " * Dropped changes:", " - SECURITY UPDATE: Buffer Overflow", " + debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " + debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL - 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " + debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " + CVE-2026-26269", " + CVE-2026-28420", " + CVE-2026-28422", " - SECURITY UPDATE: Command Injection", " + debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " + debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " + CVE-2026-28417", " - SECURITY UPDATE: Out of Bounds Read", " + debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " + CVE-2026-28418", " - SECURITY UPDATE: Buffer Underflow", " + debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " + CVE-2026-28419", " - SECURITY UPDATE: Denial of Service", " + debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " + CVE-2026-28421", " - SECURITY UPDATE: NULL pointer dereference in the NFA regex engine.", " + debian/patches/CVE-2026-32249.patch: Add range_endpoint and if checks", " in src/regexp_nfa.c. Add tests in src/testdir/test_regexp_utf8.vim.", " + CVE-2026-32249", " - SECURITY UPDATE: Command injection in glob.", " + debian/patches/CVE-2026-33412.patch: Add newline to SHELL_SPECIAL in", " src/os_unix.c.", " + CVE-2026-33412", " - SECURITY UPDATE: Command injection in tabpanel.", " + debian/patches/CVE-2026-34714.patch: Add check_restricted check_secure", " if check in src/autocmd.c. Add P_MLE in src/optiondefs.h. Add tests in", " src/testdir/test_autocmd.vim and src/testdir/test_tabpanel.vim.", " + CVE-2026-34714", " - SECURITY UPDATE: Command injection in modeline.", " + debian/patches/CVE-2026-34982.patch: Add check_secure in src/map.c. Add", " P_MLE in src/optiondefs.h. Add tests in src/testdir/test_modeline.vim.", " + debian/patches/CVE-2026-34982-post1.patch: Remove failing test and add", " more s:modeline_fails in src/testdir/test_modeline.vim.", " + CVE-2026-34982", " * Add add-stonking.patch to add stonking to the list of known Ubuntu releases.", " * Add flaky-screendump-test.patch to fix flaky screendump test.", " * Add flaky-visual-block-test.patch to skip flaky visual block test.", " * Add flaky-statusline-test.patch to skip flaky statusline test.", "" ], "package": "vim", "version": "2:9.2.0428-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Simon Quigley ", "date": "Tue, 05 May 2026 10:23:56 -0500" }, { "cves": [ { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0357: command injection via backticks in tag files (Closes:", " #1134906, CVE-2026-41411)", " * Remove xdg-shell.xml and primary-selection-unstable-v1.xml entries from", " d/copyright", "" ], "package": "vim", "version": "2:9.2.0428-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 02 May 2026 10:39:07 -0400" }, { "cves": [], "log": [ "", " * New upstream tag", " + 9.2.0350: New 'modelinestrict' option, enabled by default, to limit", " which options can be set in modelines.", " * Remove documentation patch about Debian disabling modeline option", " * Remove \"set nomodeline\" from debian.vim", "" ], "package": "vim", "version": "2:9.2.0355-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Thu, 16 Apr 2026 09:10:49 -0400" }, { "cves": [ { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0316: command injection in netbeans interface via defineAnnoType,", " CVE-2026-39881", " * Change libselinux1-dev Build-Depends to libselinux-dev", " * Change libgpmg1-dev Build-Depends to libgpm-dev", "" ], "package": "vim", "version": "2:9.2.0338-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 11 Apr 2026 20:45:13 -0400" }, { "cves": [ { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0272: modeline security bypass for 'tabpanel' option, allowing", " expressions to be run from a modeline. (Closes: #1132447,", " CVE-2026-34714)", " - 9.2.0276: modeline security bypass for 'complete', 'guitabtooltip',", " and 'printheader' options, allowing expressions to be run from a", " modeline. (Closes: #1132450, CVE-2026-34982)", " - 9.2.0280: Fix path traversal issue in zip plugin, CVE-2026-35177", " * Remove revert of v9.1.0949, since that is now causing Vim tests to fail.", " This reopens #1091729.", " * Declare compliance with Policy 4.7.4", "" ], "package": "vim", "version": "2:9.2.0315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Tue, 07 Apr 2026 06:44:19 -0400" }, { "cves": [ { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + 9.2.0168: Fix invalid pointer casting in string_convert(), causing test", " failures on big-endian systems", " + runtime/syntax/python.vim: Fix E363 error when highlighting large", " integers (Closes: #1127816)", " + Security fixes", " - 9.2.0137: crash when composing character as end of range in a regexp", " collection (Closes: #1130658, CVE-2026-32249)", " - 9.2.0202: command injection via newline in glob(), CVE-2026-33412", "" ], "package": "vim", "version": "2:9.2.0218-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 21 Mar 2026 07:38:26 -0400" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.2.0136", " + 9.2.0132: Skip Test_recover_corrupted_swap_file1 on big-endian systems", "" ], "package": "vim", "version": "2:9.2.0136-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Wed, 11 Mar 2026 11:11:47 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * New upstream release", " + See \":help vim-9.2\" for new features", " + Security fixes", " - 9.1.2148: buffer overflow in netbeans special_keys() handling (Closes:", " #1127930, CVE-2026-26269)", " * Merge upstream tag v9.2.0119", " + Security fixes", " - 9.2.0073: possible command injection using netrw (Closes: #1129427,", " CVE-2026-28417)", " - 9.2.0074: crash with overlong emacs tag file (Closes: #1129428,", " CVE-2026-28418)", " - 9.2.0075: buffer underflow with emacs tag file (Closes: #1129429,", " CVE-2026-28419)", " - 9.2.0076: buffer-overflow with combining characters in terminal", " handling (Closes: #1129430, CVE-2026-28420)", " - 9.2.0077: crash when recovering a corrupted swap file (Closes:", " #1129431, CVE-2026-28421)", " - 9.2.0078: stack buffer overflow when rendering a statusline with a", " multi-byte fill character on a very wide terminal (Closes: #1129432,", " CVE-2026-28422)", "" ], "package": "vim", "version": "2:9.2.0119-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Mar 2026 06:50:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.2.0461-1ubuntu1", "version": "2:9.2.0461-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142681, 2142221, 2142681 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - debian/patches/add-stonking.patch:", " add stonking to the list of known Ubuntu releases.", " - debian/patches/flaky-visual-block-test.patch:", " skip flaky visual block test.", " - debian/patches/flaky-statusline-test.patch:", " skip flaky statusline test.", " * Drop changes:", " - debian/patches/flaky-screendump-test.patch: upstream", "" ], "package": "vim", "version": "2:9.2.0461-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142681 ], "author": "Gianfranco Costamagna ", "date": "Thu, 14 May 2026 15:24:42 +0200" }, { "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0435: backticks in 'path' may cause shell execution on completion", " (Closes: #1136086, CVE-2026-44656)", " - 9.2.0450: heap buffer overflow in spellfile SN_COMPOUND handling", " (Closes: #1136097, CVE-2026-45130)", " + syntax/autopkgtest.vim: Fix typos in breaks-testbed, build-needed, and", " hint-testsuite-triggers. Mark skip-not-installable as deprecated.", "" ], "package": "vim", "version": "2:9.2.0461-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 09 May 2026 19:41:43 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " * Dropped changes:", " - SECURITY UPDATE: Buffer Overflow", " + debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " + debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL - 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " + debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " + CVE-2026-26269", " + CVE-2026-28420", " + CVE-2026-28422", " - SECURITY UPDATE: Command Injection", " + debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " + debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " + CVE-2026-28417", " - SECURITY UPDATE: Out of Bounds Read", " + debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " + CVE-2026-28418", " - SECURITY UPDATE: Buffer Underflow", " + debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " + CVE-2026-28419", " - SECURITY UPDATE: Denial of Service", " + debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " + CVE-2026-28421", " - SECURITY UPDATE: NULL pointer dereference in the NFA regex engine.", " + debian/patches/CVE-2026-32249.patch: Add range_endpoint and if checks", " in src/regexp_nfa.c. Add tests in src/testdir/test_regexp_utf8.vim.", " + CVE-2026-32249", " - SECURITY UPDATE: Command injection in glob.", " + debian/patches/CVE-2026-33412.patch: Add newline to SHELL_SPECIAL in", " src/os_unix.c.", " + CVE-2026-33412", " - SECURITY UPDATE: Command injection in tabpanel.", " + debian/patches/CVE-2026-34714.patch: Add check_restricted check_secure", " if check in src/autocmd.c. Add P_MLE in src/optiondefs.h. Add tests in", " src/testdir/test_autocmd.vim and src/testdir/test_tabpanel.vim.", " + CVE-2026-34714", " - SECURITY UPDATE: Command injection in modeline.", " + debian/patches/CVE-2026-34982.patch: Add check_secure in src/map.c. Add", " P_MLE in src/optiondefs.h. Add tests in src/testdir/test_modeline.vim.", " + debian/patches/CVE-2026-34982-post1.patch: Remove failing test and add", " more s:modeline_fails in src/testdir/test_modeline.vim.", " + CVE-2026-34982", " * Add add-stonking.patch to add stonking to the list of known Ubuntu releases.", " * Add flaky-screendump-test.patch to fix flaky screendump test.", " * Add flaky-visual-block-test.patch to skip flaky visual block test.", " * Add flaky-statusline-test.patch to skip flaky statusline test.", "" ], "package": "vim", "version": "2:9.2.0428-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Simon Quigley ", "date": "Tue, 05 May 2026 10:23:56 -0500" }, { "cves": [ { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0357: command injection via backticks in tag files (Closes:", " #1134906, CVE-2026-41411)", " * Remove xdg-shell.xml and primary-selection-unstable-v1.xml entries from", " d/copyright", "" ], "package": "vim", "version": "2:9.2.0428-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 02 May 2026 10:39:07 -0400" }, { "cves": [], "log": [ "", " * New upstream tag", " + 9.2.0350: New 'modelinestrict' option, enabled by default, to limit", " which options can be set in modelines.", " * Remove documentation patch about Debian disabling modeline option", " * Remove \"set nomodeline\" from debian.vim", "" ], "package": "vim", "version": "2:9.2.0355-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Thu, 16 Apr 2026 09:10:49 -0400" }, { "cves": [ { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0316: command injection in netbeans interface via defineAnnoType,", " CVE-2026-39881", " * Change libselinux1-dev Build-Depends to libselinux-dev", " * Change libgpmg1-dev Build-Depends to libgpm-dev", "" ], "package": "vim", "version": "2:9.2.0338-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 11 Apr 2026 20:45:13 -0400" }, { "cves": [ { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0272: modeline security bypass for 'tabpanel' option, allowing", " expressions to be run from a modeline. (Closes: #1132447,", " CVE-2026-34714)", " - 9.2.0276: modeline security bypass for 'complete', 'guitabtooltip',", " and 'printheader' options, allowing expressions to be run from a", " modeline. (Closes: #1132450, CVE-2026-34982)", " - 9.2.0280: Fix path traversal issue in zip plugin, CVE-2026-35177", " * Remove revert of v9.1.0949, since that is now causing Vim tests to fail.", " This reopens #1091729.", " * Declare compliance with Policy 4.7.4", "" ], "package": "vim", "version": "2:9.2.0315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Tue, 07 Apr 2026 06:44:19 -0400" }, { "cves": [ { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + 9.2.0168: Fix invalid pointer casting in string_convert(), causing test", " failures on big-endian systems", " + runtime/syntax/python.vim: Fix E363 error when highlighting large", " integers (Closes: #1127816)", " + Security fixes", " - 9.2.0137: crash when composing character as end of range in a regexp", " collection (Closes: #1130658, CVE-2026-32249)", " - 9.2.0202: command injection via newline in glob(), CVE-2026-33412", "" ], "package": "vim", "version": "2:9.2.0218-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 21 Mar 2026 07:38:26 -0400" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.2.0136", " + 9.2.0132: Skip Test_recover_corrupted_swap_file1 on big-endian systems", "" ], "package": "vim", "version": "2:9.2.0136-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Wed, 11 Mar 2026 11:11:47 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * New upstream release", " + See \":help vim-9.2\" for new features", " + Security fixes", " - 9.1.2148: buffer overflow in netbeans special_keys() handling (Closes:", " #1127930, CVE-2026-26269)", " * Merge upstream tag v9.2.0119", " + Security fixes", " - 9.2.0073: possible command injection using netrw (Closes: #1129427,", " CVE-2026-28417)", " - 9.2.0074: crash with overlong emacs tag file (Closes: #1129428,", " CVE-2026-28418)", " - 9.2.0075: buffer underflow with emacs tag file (Closes: #1129429,", " CVE-2026-28419)", " - 9.2.0076: buffer-overflow with combining characters in terminal", " handling (Closes: #1129430, CVE-2026-28420)", " - 9.2.0077: crash when recovering a corrupted swap file (Closes:", " #1129431, CVE-2026-28421)", " - 9.2.0078: stack buffer overflow when rendering a statusline with a", " multi-byte fill character on a very wide terminal (Closes: #1129432,", " CVE-2026-28422)", "" ], "package": "vim", "version": "2:9.2.0119-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Mar 2026 06:50:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.2.0461-1ubuntu1", "version": "2:9.2.0461-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142681, 2142221, 2142681 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - debian/patches/add-stonking.patch:", " add stonking to the list of known Ubuntu releases.", " - debian/patches/flaky-visual-block-test.patch:", " skip flaky visual block test.", " - debian/patches/flaky-statusline-test.patch:", " skip flaky statusline test.", " * Drop changes:", " - debian/patches/flaky-screendump-test.patch: upstream", "" ], "package": "vim", "version": "2:9.2.0461-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142681 ], "author": "Gianfranco Costamagna ", "date": "Thu, 14 May 2026 15:24:42 +0200" }, { "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0435: backticks in 'path' may cause shell execution on completion", " (Closes: #1136086, CVE-2026-44656)", " - 9.2.0450: heap buffer overflow in spellfile SN_COMPOUND handling", " (Closes: #1136097, CVE-2026-45130)", " + syntax/autopkgtest.vim: Fix typos in breaks-testbed, build-needed, and", " hint-testsuite-triggers. Mark skip-not-installable as deprecated.", "" ], "package": "vim", "version": "2:9.2.0461-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 09 May 2026 19:41:43 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " * Dropped changes:", " - SECURITY UPDATE: Buffer Overflow", " + debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " + debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL - 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " + debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " + CVE-2026-26269", " + CVE-2026-28420", " + CVE-2026-28422", " - SECURITY UPDATE: Command Injection", " + debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " + debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " + CVE-2026-28417", " - SECURITY UPDATE: Out of Bounds Read", " + debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " + CVE-2026-28418", " - SECURITY UPDATE: Buffer Underflow", " + debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " + CVE-2026-28419", " - SECURITY UPDATE: Denial of Service", " + debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " + CVE-2026-28421", " - SECURITY UPDATE: NULL pointer dereference in the NFA regex engine.", " + debian/patches/CVE-2026-32249.patch: Add range_endpoint and if checks", " in src/regexp_nfa.c. Add tests in src/testdir/test_regexp_utf8.vim.", " + CVE-2026-32249", " - SECURITY UPDATE: Command injection in glob.", " + debian/patches/CVE-2026-33412.patch: Add newline to SHELL_SPECIAL in", " src/os_unix.c.", " + CVE-2026-33412", " - SECURITY UPDATE: Command injection in tabpanel.", " + debian/patches/CVE-2026-34714.patch: Add check_restricted check_secure", " if check in src/autocmd.c. Add P_MLE in src/optiondefs.h. Add tests in", " src/testdir/test_autocmd.vim and src/testdir/test_tabpanel.vim.", " + CVE-2026-34714", " - SECURITY UPDATE: Command injection in modeline.", " + debian/patches/CVE-2026-34982.patch: Add check_secure in src/map.c. Add", " P_MLE in src/optiondefs.h. Add tests in src/testdir/test_modeline.vim.", " + debian/patches/CVE-2026-34982-post1.patch: Remove failing test and add", " more s:modeline_fails in src/testdir/test_modeline.vim.", " + CVE-2026-34982", " * Add add-stonking.patch to add stonking to the list of known Ubuntu releases.", " * Add flaky-screendump-test.patch to fix flaky screendump test.", " * Add flaky-visual-block-test.patch to skip flaky visual block test.", " * Add flaky-statusline-test.patch to skip flaky statusline test.", "" ], "package": "vim", "version": "2:9.2.0428-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Simon Quigley ", "date": "Tue, 05 May 2026 10:23:56 -0500" }, { "cves": [ { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0357: command injection via backticks in tag files (Closes:", " #1134906, CVE-2026-41411)", " * Remove xdg-shell.xml and primary-selection-unstable-v1.xml entries from", " d/copyright", "" ], "package": "vim", "version": "2:9.2.0428-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 02 May 2026 10:39:07 -0400" }, { "cves": [], "log": [ "", " * New upstream tag", " + 9.2.0350: New 'modelinestrict' option, enabled by default, to limit", " which options can be set in modelines.", " * Remove documentation patch about Debian disabling modeline option", " * Remove \"set nomodeline\" from debian.vim", "" ], "package": "vim", "version": "2:9.2.0355-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Thu, 16 Apr 2026 09:10:49 -0400" }, { "cves": [ { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0316: command injection in netbeans interface via defineAnnoType,", " CVE-2026-39881", " * Change libselinux1-dev Build-Depends to libselinux-dev", " * Change libgpmg1-dev Build-Depends to libgpm-dev", "" ], "package": "vim", "version": "2:9.2.0338-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 11 Apr 2026 20:45:13 -0400" }, { "cves": [ { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0272: modeline security bypass for 'tabpanel' option, allowing", " expressions to be run from a modeline. (Closes: #1132447,", " CVE-2026-34714)", " - 9.2.0276: modeline security bypass for 'complete', 'guitabtooltip',", " and 'printheader' options, allowing expressions to be run from a", " modeline. (Closes: #1132450, CVE-2026-34982)", " - 9.2.0280: Fix path traversal issue in zip plugin, CVE-2026-35177", " * Remove revert of v9.1.0949, since that is now causing Vim tests to fail.", " This reopens #1091729.", " * Declare compliance with Policy 4.7.4", "" ], "package": "vim", "version": "2:9.2.0315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Tue, 07 Apr 2026 06:44:19 -0400" }, { "cves": [ { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + 9.2.0168: Fix invalid pointer casting in string_convert(), causing test", " failures on big-endian systems", " + runtime/syntax/python.vim: Fix E363 error when highlighting large", " integers (Closes: #1127816)", " + Security fixes", " - 9.2.0137: crash when composing character as end of range in a regexp", " collection (Closes: #1130658, CVE-2026-32249)", " - 9.2.0202: command injection via newline in glob(), CVE-2026-33412", "" ], "package": "vim", "version": "2:9.2.0218-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 21 Mar 2026 07:38:26 -0400" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.2.0136", " + 9.2.0132: Skip Test_recover_corrupted_swap_file1 on big-endian systems", "" ], "package": "vim", "version": "2:9.2.0136-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Wed, 11 Mar 2026 11:11:47 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * New upstream release", " + See \":help vim-9.2\" for new features", " + Security fixes", " - 9.1.2148: buffer overflow in netbeans special_keys() handling (Closes:", " #1127930, CVE-2026-26269)", " * Merge upstream tag v9.2.0119", " + Security fixes", " - 9.2.0073: possible command injection using netrw (Closes: #1129427,", " CVE-2026-28417)", " - 9.2.0074: crash with overlong emacs tag file (Closes: #1129428,", " CVE-2026-28418)", " - 9.2.0075: buffer underflow with emacs tag file (Closes: #1129429,", " CVE-2026-28419)", " - 9.2.0076: buffer-overflow with combining characters in terminal", " handling (Closes: #1129430, CVE-2026-28420)", " - 9.2.0077: crash when recovering a corrupted swap file (Closes:", " #1129431, CVE-2026-28421)", " - 9.2.0078: stack buffer overflow when rendering a statusline with a", " multi-byte fill character on a very wide terminal (Closes: #1129432,", " CVE-2026-28422)", "" ], "package": "vim", "version": "2:9.2.0119-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Mar 2026 06:50:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.2.0461-1ubuntu1", "version": "2:9.2.0461-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142681, 2142221, 2142681 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - debian/patches/add-stonking.patch:", " add stonking to the list of known Ubuntu releases.", " - debian/patches/flaky-visual-block-test.patch:", " skip flaky visual block test.", " - debian/patches/flaky-statusline-test.patch:", " skip flaky statusline test.", " * Drop changes:", " - debian/patches/flaky-screendump-test.patch: upstream", "" ], "package": "vim", "version": "2:9.2.0461-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142681 ], "author": "Gianfranco Costamagna ", "date": "Thu, 14 May 2026 15:24:42 +0200" }, { "cves": [ { "cve": "CVE-2026-44656", "url": "https://ubuntu.com/security/CVE-2026-44656", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" }, { "cve": "CVE-2026-45130", "url": "https://ubuntu.com/security/CVE-2026-45130", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450.", "cve_priority": "medium", "cve_public_date": "2026-05-08 23:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0435: backticks in 'path' may cause shell execution on completion", " (Closes: #1136086, CVE-2026-44656)", " - 9.2.0450: heap buffer overflow in spellfile SN_COMPOUND handling", " (Closes: #1136097, CVE-2026-45130)", " + syntax/autopkgtest.vim: Fix typos in breaks-testbed, build-needed, and", " hint-testsuite-triggers. Mark skip-not-installable as deprecated.", "" ], "package": "vim", "version": "2:9.2.0461-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 09 May 2026 19:41:43 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", " - debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " * Dropped changes:", " - SECURITY UPDATE: Buffer Overflow", " + debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " + debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL - 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " + debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " + CVE-2026-26269", " + CVE-2026-28420", " + CVE-2026-28422", " - SECURITY UPDATE: Command Injection", " + debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " + debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " + CVE-2026-28417", " - SECURITY UPDATE: Out of Bounds Read", " + debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " + CVE-2026-28418", " - SECURITY UPDATE: Buffer Underflow", " + debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " + CVE-2026-28419", " - SECURITY UPDATE: Denial of Service", " + debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " + CVE-2026-28421", " - SECURITY UPDATE: NULL pointer dereference in the NFA regex engine.", " + debian/patches/CVE-2026-32249.patch: Add range_endpoint and if checks", " in src/regexp_nfa.c. Add tests in src/testdir/test_regexp_utf8.vim.", " + CVE-2026-32249", " - SECURITY UPDATE: Command injection in glob.", " + debian/patches/CVE-2026-33412.patch: Add newline to SHELL_SPECIAL in", " src/os_unix.c.", " + CVE-2026-33412", " - SECURITY UPDATE: Command injection in tabpanel.", " + debian/patches/CVE-2026-34714.patch: Add check_restricted check_secure", " if check in src/autocmd.c. Add P_MLE in src/optiondefs.h. Add tests in", " src/testdir/test_autocmd.vim and src/testdir/test_tabpanel.vim.", " + CVE-2026-34714", " - SECURITY UPDATE: Command injection in modeline.", " + debian/patches/CVE-2026-34982.patch: Add check_secure in src/map.c. Add", " P_MLE in src/optiondefs.h. Add tests in src/testdir/test_modeline.vim.", " + debian/patches/CVE-2026-34982-post1.patch: Remove failing test and add", " more s:modeline_fails in src/testdir/test_modeline.vim.", " + CVE-2026-34982", " * Add add-stonking.patch to add stonking to the list of known Ubuntu releases.", " * Add flaky-screendump-test.patch to fix flaky screendump test.", " * Add flaky-visual-block-test.patch to skip flaky visual block test.", " * Add flaky-statusline-test.patch to skip flaky statusline test.", "" ], "package": "vim", "version": "2:9.2.0428-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Simon Quigley ", "date": "Tue, 05 May 2026 10:23:56 -0500" }, { "cves": [ { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0357: command injection via backticks in tag files (Closes:", " #1134906, CVE-2026-41411)", " * Remove xdg-shell.xml and primary-selection-unstable-v1.xml entries from", " d/copyright", "" ], "package": "vim", "version": "2:9.2.0428-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 02 May 2026 10:39:07 -0400" }, { "cves": [], "log": [ "", " * New upstream tag", " + 9.2.0350: New 'modelinestrict' option, enabled by default, to limit", " which options can be set in modelines.", " * Remove documentation patch about Debian disabling modeline option", " * Remove \"set nomodeline\" from debian.vim", "" ], "package": "vim", "version": "2:9.2.0355-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Thu, 16 Apr 2026 09:10:49 -0400" }, { "cves": [ { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0316: command injection in netbeans interface via defineAnnoType,", " CVE-2026-39881", " * Change libselinux1-dev Build-Depends to libselinux-dev", " * Change libgpmg1-dev Build-Depends to libgpm-dev", "" ], "package": "vim", "version": "2:9.2.0338-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 11 Apr 2026 20:45:13 -0400" }, { "cves": [ { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" }, { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + Security fixes", " - 9.2.0272: modeline security bypass for 'tabpanel' option, allowing", " expressions to be run from a modeline. (Closes: #1132447,", " CVE-2026-34714)", " - 9.2.0276: modeline security bypass for 'complete', 'guitabtooltip',", " and 'printheader' options, allowing expressions to be run from a", " modeline. (Closes: #1132450, CVE-2026-34982)", " - 9.2.0280: Fix path traversal issue in zip plugin, CVE-2026-35177", " * Remove revert of v9.1.0949, since that is now causing Vim tests to fail.", " This reopens #1091729.", " * Declare compliance with Policy 4.7.4", "" ], "package": "vim", "version": "2:9.2.0315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Tue, 07 Apr 2026 06:44:19 -0400" }, { "cves": [ { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" } ], "log": [ "", " * New upstream tag", " + 9.2.0168: Fix invalid pointer casting in string_convert(), causing test", " failures on big-endian systems", " + runtime/syntax/python.vim: Fix E363 error when highlighting large", " integers (Closes: #1127816)", " + Security fixes", " - 9.2.0137: crash when composing character as end of range in a regexp", " collection (Closes: #1130658, CVE-2026-32249)", " - 9.2.0202: command injection via newline in glob(), CVE-2026-33412", "" ], "package": "vim", "version": "2:9.2.0218-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Sat, 21 Mar 2026 07:38:26 -0400" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.2.0136", " + 9.2.0132: Skip Test_recover_corrupted_swap_file1 on big-endian systems", "" ], "package": "vim", "version": "2:9.2.0136-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Wed, 11 Mar 2026 11:11:47 -0400" }, { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * New upstream release", " + See \":help vim-9.2\" for new features", " + Security fixes", " - 9.1.2148: buffer overflow in netbeans special_keys() handling (Closes:", " #1127930, CVE-2026-26269)", " * Merge upstream tag v9.2.0119", " + Security fixes", " - 9.2.0073: possible command injection using netrw (Closes: #1129427,", " CVE-2026-28417)", " - 9.2.0074: crash with overlong emacs tag file (Closes: #1129428,", " CVE-2026-28418)", " - 9.2.0075: buffer underflow with emacs tag file (Closes: #1129429,", " CVE-2026-28419)", " - 9.2.0076: buffer-overflow with combining characters in terminal", " handling (Closes: #1129430, CVE-2026-28420)", " - 9.2.0077: crash when recovering a corrupted swap file (Closes:", " #1129431, CVE-2026-28421)", " - 9.2.0078: stack buffer overflow when rendering a statusline with a", " multi-byte fill character on a very wide terminal (Closes: #1129432,", " CVE-2026-28422)", "" ], "package": "vim", "version": "2:9.2.0119-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Mar 2026 06:50:59 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "libsodium26:s390x", "from_version": { "source_package_name": "libsodium", "source_package_version": "1.0.18-2", "version": null }, "to_version": { "source_package_name": "libsodium", "source_package_version": "1.0.22-2", "version": "1.0.22-2" }, "cves": [ { "cve": "CVE-2025-69277", "url": "https://ubuntu.com/security/CVE-2025-69277", "cve_description": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.", "cve_priority": "medium", "cve_public_date": "2025-12-31 06:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Upload to Sid for starting the package transition.", "" ], "package": "libsodium", "version": "1.0.22-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sun, 26 Apr 2026 14:19:36 +0000" }, { "cves": [], "log": [ "", " * New upstream release.", " * Update libsodium26.symbols .", "" ], "package": "libsodium", "version": "1.0.22-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 11 Apr 2026 18:10:17 +0200" }, { "cves": [ { "cve": "CVE-2025-69277", "url": "https://ubuntu.com/security/CVE-2025-69277", "cve_description": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.", "cve_priority": "medium", "cve_public_date": "2025-12-31 06:15:00 UTC" } ], "log": [ "", " * Backport security fix for CVE-2025-69277: mishandled checks for whether", " an elliptic curve point is valid (closes: #1124374).", "" ], "package": "libsodium", "version": "1.0.20-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Wed, 31 Dec 2025 14:11:01 +0100" }, { "cves": [], "log": [ "", " * New upstream release (closes: #1098271).", " * Update libsodium26.symbols .", " * Switch pkg-config dependency to pkgconf.", " * Remove now redundant Rules-Requires-Root value.", " * Update watch file.", " * Update Standards-Version to 4.7.2 .", "" ], "package": "libsodium", "version": "1.0.20-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Fri, 07 Nov 2025 22:07:37 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", " * Update copyright file.", " * Library transition to version 26 of soname.", " * Update libsodium26.symbols .", " * Update watch file.", " * Use no for Rules-Requires-Root.", " * Update debhelper level to 13 .", " * Update Standards-Version to 4.6.2 .", "" ], "package": "libsodium", "version": "1.0.19-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Fri, 15 Sep 2023 08:08:16 +0000" } ], "notes": "libsodium26:s390x version '1.0.22-2' (source package libsodium version '1.0.22-2') was added. libsodium26:s390x version '1.0.22-2' has the same source package name, libsodium, as removed package libsodium23:s390x. As such we can use the source package version of the removed package, '1.0.18-2', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "libsodium23:s390x", "from_version": { "source_package_name": "libsodium", "source_package_version": "1.0.18-2", "version": "1.0.18-2" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.10 stonking image from daily image serial 20260612 to 20260617", "from_series": "stonking", "to_series": "stonking", "from_serial": "20260612", "to_serial": "20260617", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }