Explore top 10 tips to secure your open-source projects now. Read More
×Several security issues were fixed in Apache HTTP Server.. ========================================================================== Ubuntu Security Notice USN-8516-1 July 08, 2026 apache2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Apache HTTP Server. Software Description: - apache2: Apache HTTP server Details: It was discovered that Apache HTTP Server's mod_ldap module incorrectly handled memory when processing per-directory configurations. An attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-29167) It was discovered that Apache HTTP Server's mod_proxy_ftp module incorrectly handled HTML generation for FTP directory listings. A remote attacker could possibly use this issue to inject arbitrary web script or HTML. (CVE-2026-29170) It was discovered that Apache HTTP Server's mod_proxy_html module incorrectly handled certain content from an untrusted backend. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-34355) It was discovered that Apache HTTP Server incorrectly handled ProxyPassReverseCookie directives with a malicious backend server. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-34356) It was discovered that Apache HTTP Server's mod_dav_fs module incorrectly handled certain path operations. An authenticated user could possibly use this issue to manipulate trusted WebDAV property databases or cause a denial of service. (CVE-2026-42535) It was discovered that Apache HTTP Server's mod_xml2enc module incorrectly handled certain content from an untrusted backend. A remote attacker could possibly use this issue to cause ApacheHTTP Server to crash, resulting in a denial of service. (CVE-2026-42536) It was discovered that Apache HTTP Server incorrectly handled response headers when multiple content languages were configured. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-43951) It was discovered that Apache HTTP Server incorrectly restricted certain file functions in expressions within .htaccess files. A local attacker with .htaccess write access could possibly use this issue to obtain sensitive information. (CVE-2026-44119) It was discovered that Apache HTTP Server's mod_ssl module incorrectly handled OCSP responses from an attacker-controlled server. A remote attacker could possibly use this issue to obtain sensitive information or cause a denial of service. (CVE-2026-44185) It was discovered that Apache HTTP Server's mod_proxy_ftp module incorrectly handled responses from an attacker-controlled backend FTP server. A remote attacker could possibly use this issue to cause Apache HTTP Server to stop responding, resulting in a denial of service. (CVE-2026-44186) It was discovered that Apache HTTP Server incorrectly handled crafted regular expressions in the server configuration. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. (CVE-2026-44631) It was discovered that Apache HTTP Server's mod_http2 module had a use-after-free vulnerability when file handles were exhausted. A remote attacker could possibly use this issue to cause Apache HTTP Server to crash, resulting in a denial of service. (CVE-2026-48913) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS apache2 2.4.66-2ubuntu2.4 Ubuntu 24.04 LTS apache2 2.4.58-1ubuntu8.15 Ubuntu 22.04 LTS apache2 2.4.52-1ubuntu4.23 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8516-1 CVE-2026-29167, CVE-2026-29170, CVE-2026-34355, CVE-2026-34356, CVE-2026-42535, CVE-2026-42536, CVE-2026-43951, CVE-2026-44119, CVE-2026-44185, CVE-2026-44186, CVE-2026-44631, CVE-2026-48913 Package Information: https://launchpad.net/ubuntu/+source/apache2/2.4.66-2ubuntu2.4 https://launchpad.net/ubuntu/+source/apache2/2.4.58-1ubuntu8.15 https://launchpad.net/ubuntu/+source/apache2/2.4.52-1ubuntu4.23 . Numerous security issues in Apache HTTP Server require updates in Ubuntu LTS for protection against potential threats.. Apache HTTP Server vulnerabilities, Ubuntu security fix, Denial of service, Remote attacker risks. . Severity: Critical. LinuxSecurity.com Team
Security update. Publication date: 04 Jul 2026 URL: https://advisories.mageia.org/MGASA-2026-0234.html Type: security Affected Mageia releases: 10, 9 CVE: CVE-2026-50019, CVE-2026-50023, CVE-2026-50574 Description: CVE-2026-50019 If curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. CVE-2026-50023 A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. CVE-2026-50574 If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. For mageia 9 we import yt-dlp-ejs to ensure the application still works. References: - https://bugs.mageia.org/show_bug.cgi?id=35739 - https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj - https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-c6mh-fpjc-4pr3 - https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-vx4q-3cr2-7cg2 - https://www.cve.org/CVERecord?id=CVE-2026-50019 - https://www.cve.org/CVERecord?id=CVE-2026-50023 - https://www.cve.org/CVERecord?id=CVE-2026-50574 SRPMS: - 10/core/yt-dlp-2026.06.09-1.mga10 - 9/core/yt-dlp-2026.06.09-1.1.mga9 - 9/core/yt-dlp-ejs-0.8.0-1.mga9 . Critical security issues in yt-dlp for Mageia. Update needed to prevent code execution and potential cookie leaks.. yt-dlp vulnerabilities, Mageia update, security threats yt-dlp. . Severity: Important. LinuxSecurity.com Team
Ruby could allow unintended access to network services.. ========================================================================== Ubuntu Security Notice USN-8478-1 June 29, 2025 ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS Summary: Ruby could allow unintended access to network services. Software Description: - ruby3.3: Object-oriented scripting language - ruby3.2: Object-oriented scripting language - ruby3.0: Object-oriented scripting language - ruby2.7: Object-oriented scripting language Details: It was discovered that Ruby's Net::IMAP library did not properly verify that TLS encryption was started after issuing a STARTTLS command. A remote attacker could use this to perform a machine-in-the-middle attack and silently bypass TLS encryption. (CVE-2026-42246) It was discovered that Ruby's Net::IMAP library did not validate string arguments passed to certain commands. A remote attacker could use this to inject arbitrary IMAP commands. (CVE-2026-42257) It was discovered that Ruby's Net::IMAP library was vulnerable to a denial of service attack when authenticating with SCRAM-SHA1 or SCRAM-SHA256. A hostile server could send a very large iteration count value to cause excessive computation in the client. This issue only affected ruby3.3. (CVE-2026-42256) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libruby3.3 3.3.8-2ubuntu3.1 ruby3.3 3.3.8-2ubuntu3.1 Ubuntu 24.04 LTS libruby3.2 3.2.3-1ubuntu0.24.04.8 ruby3.2 3.2.3-1ubuntu0.24.04.8 Ubuntu 22.04 LTS libruby3.0 3.0.2-7ubuntu2.13 ruby3.0 3.0.2-7ubuntu2.13 Ubuntu 20.04 LTS libruby2.7 2.7.0-5ubuntu1.18+esm5 Available with Ubuntu Pro ruby2.7 2.7.0-5ubuntu1.18+esm5 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8478-1 CVE-2026-42246, CVE-2026-42256, CVE-2026-42257 Package Information: https://launchpad.net/ubuntu/+source/ruby3.3/3.3.8-2ubuntu3.1 https://launchpad.net/ubuntu/+source/ruby3.2/3.2.3-1ubuntu0.24.04.8 https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.13 . Update your Ubuntu systems to address critical Ruby security issues including unauthorized access and DoS risks.. Ruby security update Ubuntu network services DoS. . Severity: Important. LinuxSecurity.com Team
Security update. Publication date: 24 Jun 2026 URL: https://advisories.mageia.org/MGASA-2026-0231.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-10275, CVE-2026-40528 Description: These packages fix security vulnerabilities: CVE-2026-10275, A flaw has been found in OpenSC up to 0.26.1. This affects the function test_kpgen_certwrite of the file src/tools/pkcs11-tool.c of the component pkcs11-tool Key Generation Module. This manipulation causes buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been published and may be used. Patch name: 814f745b3b6d100295f65f1935edd33d520d33ab. It is recommended to apply a patch to fix this issue. CVE-2026-40528, OpenSC before 0.27.0, fixed in commit 0358817, contains a stack and heap buffer overrun vulnerability in the do_key_value() function in src/pkcs15init/profile.c that allows attackers to corrupt memory by supplying a crafted profile configuration file. During pkcs15-init invocation, a key value entry beginning with '=' followed by more than sizeof(keybuf) characters is copied into keybuf via memcpy without a length check, causing both stack and heap buffer overruns. References: - https://bugs.mageia.org/show_bug.cgi?id=35710 - https://lists.opensuse.org/archives/list/
Several security issues were fixed in LXD.. ========================================================================== Ubuntu Security Notice USN-8447-2 June 18, 2026 lxd vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in LXD. Software Description: - lxd: Container hypervisor based on LXC Details: USN-8447-1 fixed vulnerabilities in Go Cryptography. This update provides the corresponding updates for Go Cryptography code embedded in LXD for CVE-2026-39830, CVE-2026-39833, CVE-2026-39834, and CVE-2026-42508. Original advisory details: It was discovered that Go Cryptography did not properly handle SSH global request responses. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-39830) It was discovered that Go Cryptography did not properly verify user presence when using FIDO/U2F security keys. An attacker could possibly use this issue to bypass user presence verification for hardware security keys. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-39831) It was discovered that Go Cryptography did not properly serialize SSH agent key constraint extensions. An attacker could possibly use this issue to bypass intended key usage restrictions. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-39832) It was discovered that Go Cryptography did not properly enforce the confirm-before-use constraint in the SSH agent keyring. An attacker could possibly use this issue to use SSH keys without the required user confirmation. (CVE-2026-39833) It was discovered that Go Cryptography had an integer overflow when handling large SSH channel writes. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2026-39834) It wasdiscovered that Go Cryptography did not properly check certificate authority key revocation. An attacker could possibly use this issue to bypass certificate authority revocation checks. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and Ubuntu 26.04 LTS. (CVE-2026-42508) It was discovered that Go Cryptography did not properly enforce the source- address critical option for all SSH server callback types. An attacker could possibly use this issue to bypass source address authorization restrictions. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-46595) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS lxd 3.0.3-0ubuntu1~18.04.2+esm3 Available with Ubuntu Pro Ubuntu 16.04 LTS lxd 2.0.11-0ubuntu1~16.04.4+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8447-2 https://ubuntu.com/security/notices/USN-8447-1 CVE-2026-39830, CVE-2026-39833, CVE-2026-39834, CVE-2026-42508 . Explore critical advisories for Ubuntu LXD that resolve multiple security issues, ensuring system integrity and safety.. Ubuntu LXD security critical updates remote exploits. . Severity: Critical. LinuxSecurity.com Team
USN-6455-1 introduced a regression in Exim. ========================================================================== Ubuntu Security Notice USN-6455-2 June 10, 2026 exim4 regression ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: USN-6455-1 introduced a regression in Exim Software Description: - exim4: Exim is a mail transport agent Details: USN-6455-1 fixed vulnerabilities in Exim. The fix for CVE-2023-42117 introduced a regression on Ubuntu 22.04 LTS that resulted in certain connections logging a Taint mismatch error. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that Exim incorrectly handled validation of user-supplied data, which could lead to memory corruption. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2023-42117) It was discovered that Exim incorrectly handled validation of user-supplied data, which could lead to an out-of-bounds read. An attacker could possibly use this issue to expose sensitive information. (CVE-2023-42119) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS exim4 4.95-4ubuntu2.10 exim4-daemon-heavy 4.95-4ubuntu2.10 exim4-daemon-light 4.95-4ubuntu2.10 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6455-2 https://ubuntu.com/security/notices/USN-6455-1 https://launchpad.net/bugs/2152830 Package Information: https://launchpad.net/ubuntu/+source/exim4/4.95-4ubuntu2.10 . Exim on Ubuntu 22.04 LTS had a regression after security fix USN-6455-1, affecting stability when handling user data.. Ubuntu Security, Exim4 Malware, Memory Corruption Fix, Remote Attack Vulnerability, Exim Regression Update. . Severity: Important.LinuxSecurity.com Team
Security update. Publication date: 10 Jun 2026 URL: https://advisories.mageia.org/MGASA-2026-0183.html Type: security Affected Mageia releases: 9 CVE: CVE-2026-33250 Description: CVE-2026-33250, freeciv crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use this to crash the game on the player's machine References: - https://bugs.mageia.org/show_bug.cgi?id=35257 - https://lists.debian.org/debian-security-announce/2026/msg00082.html - https://www.cve.org/CVERecord?id=CVE-2026-33250 SRPMS: - 9/core/freeciv-3.0.7-1.2.mga9 . New Mageia security advisory addresses critical freeciv vulnerability causing crashes due to remote attacks with crafted packets.. Mageia Security Advisory, freeciv Crash Bug, Remote Attack Prevention, Mageia Update. . Severity: Important. LinuxSecurity.com Team
Kea DHCP could be made to crash if it received specially crafted messages.. ========================================================================== Ubuntu Security Notice USN-8403-1 June 08, 2026 isc-kea vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS Summary: Kea DHCP could be made to crash if it received specially crafted messages. Software Description: - isc-kea: Standards-based DHCP server Details: Ali Norouzi discovered that Kea DHCP did not properly handle maliciously crafted messages over configured API sockets and HA listeners. A remote attacker could possibly use this issue to cause Kea DHCP to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 kea-admin 2.6.3-2ubuntu0.1 kea-common 2.6.3-2ubuntu0.1 kea-dhcp-ddns-server 2.6.3-2ubuntu0.1 kea-dhcp4-server 2.6.3-2ubuntu0.1 kea-dhcp6-server 2.6.3-2ubuntu0.1 Ubuntu 24.04 LTS kea-admin 2.4.1-3ubuntu0.2 kea-common 2.4.1-3ubuntu0.2 kea-dhcp-ddns-server 2.4.1-3ubuntu0.2 kea-dhcp4-server 2.4.1-3ubuntu0.2 kea-dhcp6-server 2.4.1-3ubuntu0.2 After a standard system update you may need to restart Kea DHCP server instances to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8403-1 CVE-2026-3608 Package Information: https://launchpad.net/ubuntu/+source/isc-kea/2.6.3-2ubuntu0.1 https://launchpad.net/ubuntu/+source/isc-kea/2.4.1-3ubuntu0.2 . Update for Kea DHCP in Ubuntu to prevent potential crashes from crafted messages. Addresses denial of service risks.. Kea DHCP, Ubuntu update, Crash prevention, Denial of service, isc-kea. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.