{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "curl",
                "gzip",
                "libcurl4t64",
                "libnghttp2-14",
                "libpython3.14-minimal",
                "libpython3.14-stdlib",
                "python3.14",
                "python3.14-minimal",
                "tar",
                "tzdata",
                "ubuntu-cloud-minimal",
                "xxd"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "curl",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.2",
                    "version": "8.18.0-1ubuntu2.2"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.3",
                    "version": "8.18.0-1ubuntu2.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-10536",
                        "url": "https://ubuntu.com/security/CVE-2026-10536",
                        "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11352",
                        "url": "https://ubuntu.com/security/CVE-2026-11352",
                        "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11564",
                        "url": "https://ubuntu.com/security/CVE-2026-11564",
                        "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11586",
                        "url": "https://ubuntu.com/security/CVE-2026-11586",
                        "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12064",
                        "url": "https://ubuntu.com/security/CVE-2026-12064",
                        "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-10536",
                                "url": "https://ubuntu.com/security/CVE-2026-10536",
                                "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11352",
                                "url": "https://ubuntu.com/security/CVE-2026-11352",
                                "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11564",
                                "url": "https://ubuntu.com/security/CVE-2026-11564",
                                "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11586",
                                "url": "https://ubuntu.com/security/CVE-2026-11586",
                                "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12064",
                                "url": "https://ubuntu.com/security/CVE-2026-12064",
                                "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Use after free in curl_easy_reset.",
                            "    - debian/patches/CVE-2026-10536.patch: Deprecate CURLOPT_* in",
                            "      include/curl/curl.h, lib/http2.c,",
                            "      lib/setopt.c, lib/url.c, and lib/urldata.h",
                            "    - CVE-2026-10536",
                            "  * SECURITY UPDATE: Denial of service in QUIC UDP.",
                            "    - debian/patches/CVE-2026-11352.patch: Count zero-length UDP packets",
                            "      and enforce an upper bound in",
                            "      lib/vquic/vquic.c",
                            "    - CVE-2026-11352",
                            "  * SECURITY UPDATE: Improper certificate validation in native_ca_store.",
                            "    - debian/patches/CVE-2026-11564.patch: Add bit native_ca_store_opt to",
                            "      keep the setting of CURLOPT_(PROXY_)SSL_OPTIONS and use that to",
                            "      calculate every easy transfer if a native CA store shall be used or",
                            "      not in lib/doh.c, lib/setopt.c, and lib/vtls/vtls.c",
                            "    - CVE-2026-11564",
                            "  * SECURITY UPDATE: Memory exhaustion in ws.c",
                            "    - debian/patches/CVE-2026-11586.patch: Do not send PONG frames unless",
                            "      there is sufficient space left in the websocket send buffer in",
                            "      lib/ws.c.",
                            "    - CVE-2026-11586",
                            "  * SECURITY UPDATE: Improper validation in config2setopts.",
                            "    - debian/patches/CVE-2026-12064.patch: Use default protocol properly in",
                            "      src/config2setopts.c.",
                            "    - CVE-2026-12064",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.3",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 06 Jul 2026 10:45:44 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "gzip",
                "from_version": {
                    "source_package_name": "gzip",
                    "source_package_version": "1.14-1~exp2ubuntu1",
                    "version": "1.14-1~exp2ubuntu1"
                },
                "to_version": {
                    "source_package_name": "gzip",
                    "source_package_version": "1.14-1~exp2ubuntu1.1",
                    "version": "1.14-1~exp2ubuntu1.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-41991",
                        "url": "https://ubuntu.com/security/CVE-2026-41991",
                        "cve_description": "GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.  This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-29 12:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-41992",
                        "url": "https://ubuntu.com/security/CVE-2026-41992",
                        "cve_description": "GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.  This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-29 12:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-41991",
                                "url": "https://ubuntu.com/security/CVE-2026-41991",
                                "cve_description": "GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.  This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-29 12:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-41992",
                                "url": "https://ubuntu.com/security/CVE-2026-41992",
                                "cve_description": "GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.  This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-29 12:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: insecure temp file handling",
                            "    - debian/patches/CVE-2026-41991.patch: gzexe: use -C if lacking mktemp in",
                            "      gzexe.in, zdiff.in.",
                            "    - CVE-2026-41991",
                            "  * SECURITY UPDATE: overflow in LZH decompression logic",
                            "    - debian/patches/CVE-2026-41992.patch: gzip: don’t mishandle .lzh after .Z",
                            "      in unlzh.c.",
                            "    - CVE-2026-41992",
                            ""
                        ],
                        "package": "gzip",
                        "version": "1.14-1~exp2ubuntu1.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Fri, 03 Jul 2026 07:51:25 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libcurl4t64",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.2",
                    "version": "8.18.0-1ubuntu2.2"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "8.18.0-1ubuntu2.3",
                    "version": "8.18.0-1ubuntu2.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-10536",
                        "url": "https://ubuntu.com/security/CVE-2026-10536",
                        "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11352",
                        "url": "https://ubuntu.com/security/CVE-2026-11352",
                        "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11564",
                        "url": "https://ubuntu.com/security/CVE-2026-11564",
                        "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11586",
                        "url": "https://ubuntu.com/security/CVE-2026-11586",
                        "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12064",
                        "url": "https://ubuntu.com/security/CVE-2026-12064",
                        "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-07-03 07:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-10536",
                                "url": "https://ubuntu.com/security/CVE-2026-10536",
                                "cve_description": "A use-after-free vulnerability exists in libcurl when an application configures an HTTP/2 stream-dependency tree via `CURLOPT_STREAM_DEPENDS` or `CURLOPT_STREAM_DEPENDS_E`, subsequently invokes `curl_easy_reset()`, and finally terminates the handle with `curl_easy_cleanup()`. During this final cleanup phase, libcurl attempts to access and modify an internal structure that was already freed during the reset operation.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11352",
                                "url": "https://ubuntu.com/security/CVE-2026-11352",
                                "cve_description": "An issue in curl’s QUIC UDP receive function allows a malicious HTTP/3 server to trigger a remote denial of service against a curl or libcurl client. Because the helper function discards zero-length UDP datagrams before counting them toward the per-call packet budget, a connected QUIC peer can continuously stream empty datagrams to indefinitely stall the client.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11564",
                                "url": "https://ubuntu.com/security/CVE-2026-11564",
                                "cve_description": "libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup.  An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11586",
                                "url": "https://ubuntu.com/security/CVE-2026-11586",
                                "cve_description": "By default, curl automatically responds to WebSocket PING frames. Because curl lacks an upper bound on memory allocation for unacknowledged frames, a malicious server can exhaust all available memory by flooding curl with rapid, sequential PING messages.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12064",
                                "url": "https://ubuntu.com/security/CVE-2026-12064",
                                "cve_description": "When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-07-03 07:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Use after free in curl_easy_reset.",
                            "    - debian/patches/CVE-2026-10536.patch: Deprecate CURLOPT_* in",
                            "      include/curl/curl.h, lib/http2.c,",
                            "      lib/setopt.c, lib/url.c, and lib/urldata.h",
                            "    - CVE-2026-10536",
                            "  * SECURITY UPDATE: Denial of service in QUIC UDP.",
                            "    - debian/patches/CVE-2026-11352.patch: Count zero-length UDP packets",
                            "      and enforce an upper bound in",
                            "      lib/vquic/vquic.c",
                            "    - CVE-2026-11352",
                            "  * SECURITY UPDATE: Improper certificate validation in native_ca_store.",
                            "    - debian/patches/CVE-2026-11564.patch: Add bit native_ca_store_opt to",
                            "      keep the setting of CURLOPT_(PROXY_)SSL_OPTIONS and use that to",
                            "      calculate every easy transfer if a native CA store shall be used or",
                            "      not in lib/doh.c, lib/setopt.c, and lib/vtls/vtls.c",
                            "    - CVE-2026-11564",
                            "  * SECURITY UPDATE: Memory exhaustion in ws.c",
                            "    - debian/patches/CVE-2026-11586.patch: Do not send PONG frames unless",
                            "      there is sufficient space left in the websocket send buffer in",
                            "      lib/ws.c.",
                            "    - CVE-2026-11586",
                            "  * SECURITY UPDATE: Improper validation in config2setopts.",
                            "    - debian/patches/CVE-2026-12064.patch: Use default protocol properly in",
                            "      src/config2setopts.c.",
                            "    - CVE-2026-12064",
                            ""
                        ],
                        "package": "curl",
                        "version": "8.18.0-1ubuntu2.3",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 06 Jul 2026 10:45:44 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnghttp2-14",
                "from_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.68.0-2ubuntu0.1",
                    "version": "1.68.0-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.68.0-2ubuntu0.2",
                    "version": "1.68.0-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-58055",
                        "url": "https://ubuntu.com/security/CVE-2026-58055",
                        "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-28 02:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-58055",
                                "url": "https://ubuntu.com/security/CVE-2026-58055",
                                "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-28 02:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP request/response smuggling issue",
                            "    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP",
                            "      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,",
                            "      src/shrpx_http2_upstream.cc, src/shrpx_http3_upstream.cc,",
                            "      src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.",
                            "    - CVE-2026-58055",
                            ""
                        ],
                        "package": "nghttp2",
                        "version": "1.68.0-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 30 Jun 2026 12:37:58 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.14-minimal",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libpython3.14-stdlib",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.14",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3.14-minimal",
                "from_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1",
                    "version": "3.14.4-1"
                },
                "to_version": {
                    "source_package_name": "python3.14",
                    "source_package_version": "3.14.4-1ubuntu0.1",
                    "version": "3.14.4-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-1502",
                        "url": "https://ubuntu.com/security/CVE-2026-1502",
                        "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-10 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-3276",
                        "url": "https://ubuntu.com/security/CVE-2026-3276",
                        "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-03 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4519",
                        "url": "https://ubuntu.com/security/CVE-2026-4519",
                        "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-03-20 15:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-4786",
                        "url": "https://ubuntu.com/security/CVE-2026-4786",
                        "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 22:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-5713",
                        "url": "https://ubuntu.com/security/CVE-2026-5713",
                        "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-14 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6019",
                        "url": "https://ubuntu.com/security/CVE-2026-6019",
                        "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-22 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-6100",
                        "url": "https://ubuntu.com/security/CVE-2026-6100",
                        "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-13 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-7774",
                        "url": "https://ubuntu.com/security/CVE-2026-7774",
                        "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-04 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2021-4189",
                        "url": "https://ubuntu.com/security/CVE-2021-4189",
                        "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                        "cve_priority": "medium",
                        "cve_public_date": "2022-08-24 16:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8328",
                        "url": "https://ubuntu.com/security/CVE-2026-8328",
                        "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-13 21:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9669",
                        "url": "https://ubuntu.com/security/CVE-2026-9669",
                        "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-08 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-1502",
                                "url": "https://ubuntu.com/security/CVE-2026-1502",
                                "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-10 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-3276",
                                "url": "https://ubuntu.com/security/CVE-2026-3276",
                                "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-03 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4519",
                                "url": "https://ubuntu.com/security/CVE-2026-4519",
                                "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-03-20 15:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-4786",
                                "url": "https://ubuntu.com/security/CVE-2026-4786",
                                "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 22:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-5713",
                                "url": "https://ubuntu.com/security/CVE-2026-5713",
                                "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-14 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6019",
                                "url": "https://ubuntu.com/security/CVE-2026-6019",
                                "cve_description": "http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes \" for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-22 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-6100",
                                "url": "https://ubuntu.com/security/CVE-2026-6100",
                                "cve_description": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.  The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-13 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-7774",
                                "url": "https://ubuntu.com/security/CVE-2026-7774",
                                "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-04 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2021-4189",
                                "url": "https://ubuntu.com/security/CVE-2021-4189",
                                "cve_description": "A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.",
                                "cve_priority": "medium",
                                "cve_public_date": "2022-08-24 16:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8328",
                                "url": "https://ubuntu.com/security/CVE-2026-8328",
                                "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-13 21:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9669",
                                "url": "https://ubuntu.com/security/CVE-2026-9669",
                                "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-08 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP proxy via \"CONNECT\" tunneling doesn't sanitize CR/LF",
                            "    - debian/patches/CVE-2026-1502.patch: Reject CR/LF in HTTP tunnel request",
                            "      headers in Lib/http/client.py,",
                            "      Lib/test/test_httplib.py.",
                            "    - CVE-2026-1502",
                            "  * SECURITY UPDATE: unicodedata.normalize() can take excessive CPU time",
                            "    - debian/patches/CVE-2026-3276.patch: Fix O(n^2) canonical ordering in",
                            "      unicodedata.normalize() in Lib/test/test_unicodedata.py,",
                            "      Modules/unicodedata.c.",
                            "    - CVE-2026-3276",
                            "  * SECURITY UPDATE: Mitgation of CVE-2026-4519 was incomplete",
                            "    - debian/patches/CVE-2026-4786.patch: Fix webbrowser `%action` substitution",
                            "      bypass of dash-prefix check in Lib/test/test_webbrowser.py,",
                            "      Lib/webbrowser.py.",
                            "    - CVE-2026-4786",
                            "  * SECURITY UPDATE: insufficient validation of remote debugging offset tables",
                            "    - debian/patches/CVE-2026-5713.patch: Validate remote debug offset tables",
                            "      on load in Modules/_remote_debugging_module.c.",
                            "    - CVE-2026-5713",
                            "  * SECURITY UPDATE: insufficient escaping in http.cookies.Morsel.js_output()",
                            "    - debian/patches/CVE-2026-6019-1.patch: Base64-encode cookie values",
                            "      embedded in JS in Lib/http/cookies.py, Lib/test/test_http_cookies.py.",
                            "    - debian/patches/CVE-2026-6019-2.patch: Use decodeURIComponent() for",
                            "      UTF-8 support in js_output() in Lib/http/cookies.py,",
                            "      Lib/test/test_http_cookies.py.",
                            "    - CVE-2026-6019",
                            "  * SECURITY UPDATE: use-after-free in lzma, bz2, gzip decoders",
                            "    - debian/patches/CVE-2026-6100.patch: Fix a possible UAF in",
                            "      {LZMA,BZ2,_Zlib}Decompressor in Modules/_bz2module.c,",
                            "      Modules/_lzmamodule.c, Modules/zlibmodule.c.",
                            "    - CVE-2026-6100",
                            "  * SECURITY UPDATE: tarfile.data_filter could be bypassed",
                            "    - debian/patches/CVE-2026-7774.patch: tarfile.data_filter: validate written",
                            "      link target in Lib/tarfile.py, Lib/test/test_tarfile.py.",
                            "    - CVE-2026-7774",
                            "  * SECURITY UPDATE: Incomplete fix for CVE-2021-4189",
                            "    - debian/patches/CVE-2026-8328.patch: Apply CVE-2021-4189 PASV fix to",
                            "      ftplib.ftpcp() in Lib/ftplib.py, Lib/test/test_ftplib.py.",
                            "    - CVE-2026-8328",
                            "  * SECURITY UPDATE: bz2.BZ2Decompressor object reuse after decompression error",
                            "    - debian/patches/CVE-2026-9669.patch: Prevent bz2 decompressor reuse after",
                            "      errors in Lib/test/test_bz2.py, Modules/_bz2module.c.",
                            "    - CVE-2026-9669",
                            ""
                        ],
                        "package": "python3.14",
                        "version": "3.14.4-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 10:25:02 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tar",
                "from_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-4ubuntu0.1",
                    "version": "1.35+dfsg-4ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-4ubuntu0.2",
                    "version": "1.35+dfsg-4ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-45582",
                        "url": "https://ubuntu.com/security/CVE-2025-45582",
                        "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-07-11 17:15:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-45582",
                                "url": "https://ubuntu.com/security/CVE-2025-45582",
                                "cve_description": "GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which \"tar xf\" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each \"tar xf\" in its Security Rules of Thumb; however, third-party advice leads users to run \"tar xf\" more than once into the same directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-07-11 17:15:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: File overwrite via directory traversal",
                            "    - debian/patches/CVE-2025-45582-*.patch: Backport openat2 support in",
                            "      order to jailify the extraction directory.",
                            "    - CVE-2025-45582",
                            ""
                        ],
                        "package": "tar",
                        "version": "1.35+dfsg-4ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 27 Jun 2026 19:09:16 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tzdata",
                "from_version": {
                    "source_package_name": "tzdata",
                    "source_package_version": "2026a-3ubuntu1",
                    "version": "2026a-3ubuntu1"
                },
                "to_version": {
                    "source_package_name": "tzdata",
                    "source_package_version": "2026b-0ubuntu0.26.04.1",
                    "version": "2026b-0ubuntu0.26.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2157973
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * New upstream release (LP: #2157973):",
                            "    - British Columbia moved to permanent -07 on 2026-03-09, so it will not",
                            "      fall back from -07 to -08 on 2026-11-01.",
                            "  * Add autopkgtest test case for 2026b release",
                            "  * Update the ICU timezone data to 2026b",
                            "  * Add autopkgtest test case for ICU timezone data 2026b",
                            ""
                        ],
                        "package": "tzdata",
                        "version": "2026b-0ubuntu0.26.04.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2157973
                        ],
                        "author": "Benjamin Drung <bdrung@ubuntu.com>",
                        "date": "Tue, 23 Jun 2026 14:07:59 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-cloud-minimal",
                "from_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570",
                    "version": "1.570"
                },
                "to_version": {
                    "source_package_name": "ubuntu-meta",
                    "source_package_version": "1.570.1",
                    "version": "1.570.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2154038,
                    2154038
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Refreshed dependencies",
                            "  * Added gst-audio-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            "  * Added gst-video-thumbnailer to desktop-minimal-recommends, desktop-",
                            "    raspi-recommends (LP: #2154038)",
                            ""
                        ],
                        "package": "ubuntu-meta",
                        "version": "1.570.1",
                        "urgency": "medium",
                        "distributions": "resolute",
                        "launchpad_bugs_fixed": [
                            2154038,
                            2154038
                        ],
                        "author": "Alessandro Astone <alessandro.astone@canonical.com>",
                        "date": "Fri, 12 Jun 2026 17:48:27 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "xxd",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.5",
                    "version": "2:9.1.2141-1ubuntu4.5"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57453",
                        "url": "https://ubuntu.com/security/CVE-2026-57453",
                        "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57453",
                                "url": "https://ubuntu.com/security/CVE-2026-57453",
                                "cve_description": "Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quoted only for the shell, not for PowerShell. A crafted entry name can break out of the intended string context and cause PowerShell to execute arbitrary commands with the privileges of the user running Vim, triggered by opening, viewing or extracting the archive. This vulnerability is fixed in 9.2.0678.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/pack/dist/opt/netrw/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Powershell code execution in zip.vim.",
                            "    - debian/patches/CVE-2026-57453.patch: Escape powershell code in",
                            "      runtime/autoload/zip.vim.",
                            "    - CVE-2026-57453",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.6",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:00:04 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 26.04 resolute image from daily image serial 20260702 to 20260710",
    "from_series": "resolute",
    "to_series": "resolute",
    "from_serial": "20260702",
    "to_serial": "20260710",
    "from_manifest_filename": "daily_manifest.previous",
    "to_manifest_filename": "manifest.current"
}