{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "libpng16-16:s390x", "python3-urllib3" ] } }, "diff": { "deb": [ { "name": "libpng16-16:s390x", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3ubuntu0.1", "version": "1.6.37-3ubuntu0.1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.37-3ubuntu0.3", "version": "1.6.37-3ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-66293", "url": "https://ubuntu.com/security/CVE-2025-66293", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.", "cve_priority": "medium", "cve_public_date": "2025-12-03 21:15:00 UTC" }, { "cve": "CVE-2026-22695", "url": "https://ubuntu.com/security/CVE-2026-22695", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" }, { "cve": "CVE-2026-22801", "url": "https://ubuntu.com/security/CVE-2026-22801", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-66293", "url": "https://ubuntu.com/security/CVE-2025-66293", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.", "cve_priority": "medium", "cve_public_date": "2025-12-03 21:15:00 UTC" }, { "cve": "CVE-2026-22695", "url": "https://ubuntu.com/security/CVE-2026-22695", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" }, { "cve": "CVE-2026-22801", "url": "https://ubuntu.com/security/CVE-2026-22801", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB in png_image_read_composite", " - debian/patches/CVE-2025-66293-1.patch: validate component size in", " pngread.c.", " - debian/patches/CVE-2025-66293-2.patch: improve fix in pngread.c.", " - CVE-2025-66293", " * SECURITY UPDATE: Heap buffer over-read in png_image_read_direct_scaled", " - debian/patches/CVE-2026-22695.patch: fix memcpy size in pngread.c.", " - CVE-2026-22695", " * SECURITY UPDATE: Integer truncation causing heap buffer over-read", " - debian/patches/CVE-2026-22801.patch: remove incorrect truncation", " casts in CMakeLists.txt, contrib/libtests/pngstest.c, pngwrite.c,", " tests/pngstest-large-stride.", " - CVE-2026-22801", "" ], "package": "libpng1.6", "version": "1.6.37-3ubuntu0.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 12 Jan 2026 13:14:59 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.5", "version": "1.26.5-1~exp1ubuntu0.5" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "1.26.5-1~exp1ubuntu0.6", "version": "1.26.5-1~exp1ubuntu0.6" }, "cves": [ { "cve": "CVE-2026-21441", "url": "https://ubuntu.com/security/CVE-2026-21441", "cve_description": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138420 ], "changes": [ { "cves": [ { "cve": "CVE-2026-21441", "url": "https://ubuntu.com/security/CVE-2026-21441", "cve_description": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Missing _has_decoded_content from CVE-2026-21441", " (LP: #2138420)", " - debian/patches/CVE-2026-21441-fix1.patch: Implement _has_decoded_content", " and decoded checks in src/urllib3/response.py. Add tests in", " test/test_response.py.", "" ], "package": "python-urllib3", "version": "1.26.5-1~exp1ubuntu0.6", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [ 2138420 ], "author": "Hlib Korzhynskyy ", "date": "Fri, 16 Jan 2026 19:39:26 -0330" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20260114 to 20260119", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260114", "to_serial": "20260119", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }