{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "gzip",
                "libncurses6",
                "libncursesw6",
                "libnghttp2-14",
                "libpython3.10-minimal",
                "libpython3.10-stdlib",
                "libtinfo6",
                "ncurses-base",
                "ncurses-bin",
                "python3.10",
                "python3.10-minimal",
                "tar",
                "tzdata",
                "xxd"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "gzip",
                "from_version": {
                    "source_package_name": "gzip",
                    "source_package_version": "1.10-4ubuntu4.1",
                    "version": "1.10-4ubuntu4.1"
                },
                "to_version": {
                    "source_package_name": "gzip",
                    "source_package_version": "1.10-4ubuntu4.2",
                    "version": "1.10-4ubuntu4.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-41991",
                        "url": "https://ubuntu.com/security/CVE-2026-41991",
                        "cve_description": "GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.  This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-29 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-41992",
                        "url": "https://ubuntu.com/security/CVE-2026-41992",
                        "cve_description": "GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.  This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-29 12:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-41991",
                                "url": "https://ubuntu.com/security/CVE-2026-41991",
                                "cve_description": "GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.  This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-29 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-41992",
                                "url": "https://ubuntu.com/security/CVE-2026-41992",
                                "cve_description": "GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.  This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-29 12:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: insecure temp file handling",
                            "    - debian/patches/CVE-2026-41991.patch: gzexe: use -C if lacking mktemp in",
                            "      gzexe.in, zdiff.in.",
                            "    - CVE-2026-41991",
                            "  * SECURITY UPDATE: overflow in LZH decompression logic",
                            "    - debian/patches/CVE-2026-41992.patch: gzip: don’t mishandle .lzh after .Z",
                            "      in unlzh.c.",
                            "    - CVE-2026-41992",
                            ""
                        ],
                        "package": "gzip",
                        "version": "1.10-4ubuntu4.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Fri, 03 Jul 2026 07:55:53 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libncurses6",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libncursesw6",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnghttp2-14",
                "from_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.43.0-1ubuntu0.3",
                    "version": "1.43.0-1ubuntu0.3"
                },
                "to_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.43.0-1ubuntu0.4",
                    "version": "1.43.0-1ubuntu0.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-58055",
                        "url": "https://ubuntu.com/security/CVE-2026-58055",
                        "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-28 02:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-58055",
                                "url": "https://ubuntu.com/security/CVE-2026-58055",
                                "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-28 02:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP request/response smuggling issue",
                            "    - debian/patches/CVE-2026-58055-pre1.patch: nghttpx: Remove trailing white",
                            "      spaces from HTTP/1.1 fields in src/shrpx-unittest.cc,",
                            "      src/shrpx_downstream.h, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_https_upstream.cc, src/util.cc, src/util.h, src/util_test.cc,",
                            "      src/util_test.h.",
                            "    - debian/patches/CVE-2026-58055-pre2.patch: nghttpx: Stricter transfer-",
                            "      encoding checks in integration-tests/nghttpx_http1_test.go, src/http2.cc,",
                            "      src/http2.h, src/http2_test.cc, src/http2_test.h, src/shrpx-unittest.cc,",
                            "      src/shrpx_downstream.cc, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_https_upstream.cc.",
                            "    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP",
                            "      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,",
                            "      src/shrpx_http2_upstream.cc, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.",
                            "    - CVE-2026-58055",
                            ""
                        ],
                        "package": "nghttp2",
                        "version": "1.43.0-1ubuntu0.4",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 30 Jun 2026 13:21:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.10-minimal",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.10-stdlib",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libtinfo6",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ncurses-base",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ncurses-bin",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.10",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.10-minimal",
                "from_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.15",
                    "version": "3.10.12-1~22.04.15"
                },
                "to_version": {
                    "source_package_name": "python3.10",
                    "source_package_version": "3.10.12-1~22.04.16",
                    "version": "3.10.12-1~22.04.16"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-13462",
                        "url": "https://ubuntu.com/security/CVE-2025-13462",
                        "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-12 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2025-69534",
                        "url": "https://ubuntu.com/security/CVE-2025-69534",
                        "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-05 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1299",
                        "url": "https://ubuntu.com/security/CVE-2026-1299",
                        "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-23 17:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-2297",
                        "url": "https://ubuntu.com/security/CVE-2026-2297",
                        "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-04 23:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-0672",
                        "url": "https://ubuntu.com/security/CVE-2026-0672",
                        "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-01-20 22:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3644",
                        "url": "https://ubuntu.com/security/CVE-2026-3644",
                        "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4224",
                        "url": "https://ubuntu.com/security/CVE-2026-4224",
                        "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-16 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-13462",
                                "url": "https://ubuntu.com/security/CVE-2025-13462",
                                "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-12 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2025-69534",
                                "url": "https://ubuntu.com/security/CVE-2025-69534",
                                "cve_description": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-05 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1299",
                                "url": "https://ubuntu.com/security/CVE-2026-1299",
                                "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email  is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-23 17:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-2297",
                                "url": "https://ubuntu.com/security/CVE-2026-2297",
                                "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-04 23:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-0672",
                                "url": "https://ubuntu.com/security/CVE-2026-0672",
                                "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-01-20 22:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3644",
                                "url": "https://ubuntu.com/security/CVE-2026-3644",
                                "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4224",
                                "url": "https://ubuntu.com/security/CVE-2026-4224",
                                "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-16 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: incorrect normalization in tarfile module",
                            "    - debian/patches/CVE-2025-13462.patch: Skip TarInfo DIRTYPE normalization",
                            "      during GNU long name handling in Lib/tarfile.py,",
                            "      Lib/test/test_tarfile.py.",
                            "    - CVE-2025-13462",
                            "  * SECURITY UPDATE: crash in Markdown parsing",
                            "    - debian/patches/CVE-2025-69534-1.patch: Fix comment parsing in HTMLParser",
                            "      according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-2.patch: Fix parsing start and end tags in",
                            "      HTMLParser according to the HTML5 standard in Lib/html/parser.py,",
                            "      Lib/test/support/__init__.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-3.patch: Fix parsing attributes with",
                            "      whitespaces around the \"=\" separator in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-4.patch: Fix support of elements \"textarea\"",
                            "      and \"title\" in HTMLParser in Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-5.patch: Fix CDATA section parsing in",
                            "      HTMLParser in Lib/html/parser.py, Lib/test/test_htmlparser.py.",
                            "    - debian/patches/CVE-2025-69534-6.patch: Support more RAWTEXT and PLAINTEXT",
                            "      elements in HTMLParser in Doc/library/html.parser.rst, Lib/html/parser.py,",
                            "      Lib/test/test_htmlparser.py.",
                            "    - CVE-2025-69534",
                            "  * SECURITY UPDATE: incorrect newlines quoting in email module",
                            "    - debian/patches/CVE-2026-1299.patch: email: verify headers are sound in",
                            "      BytesGenerator in Lib/email/generator.py,",
                            "      Lib/test/test_email/test_generator.py, Lib/test/test_email/test_policy.py.",
                            "    - CVE-2026-1299",
                            "  * SECURITY UPDATE:HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py, Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: missing audit event for legacy *.pyc files",
                            "    - debian/patches/CVE-2026-2297.patch: Ensure SourcelessFileLoader uses",
                            "      io.open_code in Lib/importlib/_bootstrap_external.py.",
                            "    - CVE-2026-2297",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2026-0672",
                            "    - debian/patches/CVE-2026-3644.patch: Reject control characters in",
                            "      http.cookies.Morsel.update() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-3644",
                            "  * SECURITY UPDATE: Overflow in Expat parser",
                            "    - debian/patches/CVE-2026-4224.patch: Avoid unbound C recursion in",
                            "      conv_content_model in pyexpat.c in Lib/test/test_pyexpat.py,",
                            "      Modules/pyexpat.c.",
                            "    - CVE-2026-4224",
                            "  * SECURITY UPDATE: leading dashes used as options in webbrowser.open()",
                            "    - debian/patches/CVE-2026-4519-1.patch: Reject leading dashes in webbrowser",
                            "      URLs in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - debian/patches/CVE-2026-4519-2.patch: Tweak the exception message and",
                            "      increase test coverage in Lib/test/test_webbrowser.py, Lib/webbrowser.py.",
                            "    - CVE-2026-4519",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use `decodeURIComponent()` for",
                            "      UTF-8 support in `js_output()` in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      `{LZMA,BZ2,_Zlib}Decompressor` in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() (GH-149648) (#149795) in Lib/ftplib.py,",
                            "      Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.10",
                        "version": "3.10.12-1~22.04.16",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Mon, 22 Jun 2026 14:55:27 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tar",
                "from_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.34+dfsg-1ubuntu0.1.22.04.3",
                    "version": "1.34+dfsg-1ubuntu0.1.22.04.3"
                },
                "to_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.34+dfsg-1ubuntu0.1.22.04.4",
                    "version": "1.34+dfsg-1ubuntu0.1.22.04.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-45582",
                        "url": "https://ubuntu.com/security/CVE-2025-45582",
                        "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-07-11 17:15:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-45582",
                                "url": "https://ubuntu.com/security/CVE-2025-45582",
                                "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-07-11 17:15:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: File overwrite via directory traversal",
                            "    - debian/patches/CVE-2025-45582-*.patch: Backport openat2 support in",
                            "      order to jailify the extraction directory.",
                            "    - CVE-2025-45582",
                            ""
                        ],
                        "package": "tar",
                        "version": "1.34+dfsg-1ubuntu0.1.22.04.4",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 27 Jun 2026 17:53:20 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tzdata",
                "from_version": {
                    "source_package_name": "tzdata",
                    "source_package_version": "2026a-0ubuntu0.22.04.1",
                    "version": "2026a-0ubuntu0.22.04.1"
                },
                "to_version": {
                    "source_package_name": "tzdata",
                    "source_package_version": "2026b-0ubuntu0.22.04.1",
                    "version": "2026b-0ubuntu0.22.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2157973
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * New upstream release (LP: #2157973):",
                            "    - British Columbia moved to permanent -07 on 2026-03-09, so it will not",
                            "      fall back from -07 to -08 on 2026-11-01.",
                            "  * Add autopkgtest test case for 2026b release",
                            "  * Update the ICU timezone data to 2026b",
                            "  * Add autopkgtest test case for ICU timezone data 2026b",
                            ""
                        ],
                        "package": "tzdata",
                        "version": "2026b-0ubuntu0.22.04.1",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2157973
                        ],
                        "author": "Benjamin Drung <bdrung@ubuntu.com>",
                        "date": "Tue, 23 Jun 2026 14:44:01 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "xxd",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20260701 to 20260708",
    "from_series": "jammy",
    "to_series": "jammy",
    "from_serial": "20260701",
    "to_serial": "20260708",
    "from_manifest_filename": "release_manifest.previous",
    "to_manifest_filename": "manifest.current"
}