{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "libntfs-3g89t64:armhf",
                "ntfs-3g",
                "python3-httplib2",
                "python3-idna",
                "ubuntu-pro-client",
                "ubuntu-pro-client-l10n",
                "vim",
                "vim-common",
                "vim-runtime",
                "vim-tiny",
                "wget",
                "xxd"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "libntfs-3g89t64:armhf",
                "from_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1",
                    "version": "1:2022.10.3-5ubuntu1"
                },
                "to_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1.1",
                    "version": "1:2022.10.3-5ubuntu1.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-42616",
                        "url": "https://ubuntu.com/security/CVE-2026-42616",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42617",
                        "url": "https://ubuntu.com/security/CVE-2026-42617",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46572",
                        "url": "https://ubuntu.com/security/CVE-2026-46572",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56136",
                        "url": "https://ubuntu.com/security/CVE-2026-56136",
                        "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42618",
                        "url": "https://ubuntu.com/security/CVE-2026-42618",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46569",
                        "url": "https://ubuntu.com/security/CVE-2026-46569",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46570",
                        "url": "https://ubuntu.com/security/CVE-2026-46570",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46571",
                        "url": "https://ubuntu.com/security/CVE-2026-46571",
                        "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56135",
                        "url": "https://ubuntu.com/security/CVE-2026-56135",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-42616",
                                "url": "https://ubuntu.com/security/CVE-2026-42616",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42617",
                                "url": "https://ubuntu.com/security/CVE-2026-42617",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46572",
                                "url": "https://ubuntu.com/security/CVE-2026-46572",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56136",
                                "url": "https://ubuntu.com/security/CVE-2026-56136",
                                "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42618",
                                "url": "https://ubuntu.com/security/CVE-2026-42618",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46569",
                                "url": "https://ubuntu.com/security/CVE-2026-46569",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46570",
                                "url": "https://ubuntu.com/security/CVE-2026-46570",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46571",
                                "url": "https://ubuntu.com/security/CVE-2026-46571",
                                "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56135",
                                "url": "https://ubuntu.com/security/CVE-2026-56135",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: heap buffer overflow in cat()",
                            "    - debian/patches/CVE-2026-42616.patch: Fix logic in ntfsprogs/ntfscat.c.",
                            "    - CVE-2026-42616",
                            "  * SECURITY UPDATE: buffer overflows and OOB read",
                            "    - debian/patches/CVE-2026-42617_46572_56136.patch: Fix logic in",
                            "      include/ntfs-3g/index.h, libntfs-3g/attrib.c, libntfs-3g/index.c.",
                            "    - CVE-2026-42617",
                            "    - CVE-2026-46572",
                            "    - CVE-2026-56136",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_decompress()",
                            "    - debian/patches/CVE-2026-42618.patch: Fix logic in libntfs-3g/compress.c.",
                            "    - CVE-2026-42618",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_ib_copy_tail()",
                            "    - debian/patches/CVE-2026-46569.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46569",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_index_walk_down()",
                            "    - debian/patches/CVE-2026-46570.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46570",
                            "  * SECURITY UPDATE: out-of-bounds read in ntfs_fix_file_name()",
                            "    - debian/patches/CVE-2026-46571.patch: Fix logic in libntfs-3g/reparse.c.",
                            "    - CVE-2026-46571",
                            "  * SECURITY UPDATE: heap-based overflow in function build_inherited_id()",
                            "    - debian/patches/CVE-2026-56135.patch: Fix logic in include/ntfs-3g/acls.h,",
                            "      libntfs-3g/acls.c, libntfs-3g/security.c.",
                            "    - CVE-2026-56135",
                            ""
                        ],
                        "package": "ntfs-3g",
                        "version": "1:2022.10.3-5ubuntu1.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 11 Jul 2026 11:55:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ntfs-3g",
                "from_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1",
                    "version": "1:2022.10.3-5ubuntu1"
                },
                "to_version": {
                    "source_package_name": "ntfs-3g",
                    "source_package_version": "1:2022.10.3-5ubuntu1.1",
                    "version": "1:2022.10.3-5ubuntu1.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-42616",
                        "url": "https://ubuntu.com/security/CVE-2026-42616",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42617",
                        "url": "https://ubuntu.com/security/CVE-2026-42617",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46572",
                        "url": "https://ubuntu.com/security/CVE-2026-46572",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56136",
                        "url": "https://ubuntu.com/security/CVE-2026-56136",
                        "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-42618",
                        "url": "https://ubuntu.com/security/CVE-2026-42618",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46569",
                        "url": "https://ubuntu.com/security/CVE-2026-46569",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46570",
                        "url": "https://ubuntu.com/security/CVE-2026-46570",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-46571",
                        "url": "https://ubuntu.com/security/CVE-2026-46571",
                        "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-56135",
                        "url": "https://ubuntu.com/security/CVE-2026-56135",
                        "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-15 12:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-42616",
                                "url": "https://ubuntu.com/security/CVE-2026-42616",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in cat() in  cat.c that allows an attacker to corrupt heap memory in the ntfscat  binary by crafting a malicious NTFS image. The overflow is triggered by  reading a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42617",
                                "url": "https://ubuntu.com/security/CVE-2026-42617",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ir_to_ib() in index.c that allows an attacker to corrupt heap  memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS  image. The overflow is triggered by extending a directory, e.g., by  creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46572",
                                "url": "https://ubuntu.com/security/CVE-2026-46572",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_cut_tail() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by creating a file in a  crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56136",
                                "url": "https://ubuntu.com/security/CVE-2026-56136",
                                "cve_description": "In NTFS-3G through 2026.2.25, an out-of-bounds read exists in  ntfs_ir_nill() in libntfs-3g/index.c that allows an attacker to read  possibly confidential information in an ntfs-3g process by crafting a  malicious NTFS image. This read operation is triggered by creation of a  file with a crafted name.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-42618",
                                "url": "https://ubuntu.com/security/CVE-2026-42618",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_decompress() in compress.c that allows an attacker to corrupt one  byte of heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading the special  crafted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46569",
                                "url": "https://ubuntu.com/security/CVE-2026-46569",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_ib_copy_tail(), in libntfs-3g/index.c, that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by extending a  directory, e.g., by creating a file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46570",
                                "url": "https://ubuntu.com/security/CVE-2026-46570",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap buffer overflow exists in  ntfs_index_walk_down() in libntfs-3g/index.c that allows an attacker to  corrupt heap memory in the SUID-root ntfs-3g binary by crafting a  malicious NTFS image. The overflow is triggered by reading crafted file  metadata.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-46571",
                                "url": "https://ubuntu.com/security/CVE-2026-46571",
                                "cve_description": "In NTFS-3G through 2026.2.25, a out-of-bounds read exists in  ntfs_fix_file_name() in libntfs-3g/reparse.c that allows an attacker to  read possibly confidential information in ntfs-3g process memory by  crafting a malicious NTFS image. The out-of-bounds read is triggered by  a readlink on a corrupted file.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-56135",
                                "url": "https://ubuntu.com/security/CVE-2026-56135",
                                "cve_description": "In NTFS-3G through 2026.2.25, a heap-based buffer overflow exists in the  function build_inherited_id() in libntfs-3g/security.c that allows an  attacker to corrupt heap memory in the SUID-root ntfs-3g binary by  crafting a malicious NTFS image. The overflow is triggered by creating a  file in a crafted directory.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-15 12:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: heap buffer overflow in cat()",
                            "    - debian/patches/CVE-2026-42616.patch: Fix logic in ntfsprogs/ntfscat.c.",
                            "    - CVE-2026-42616",
                            "  * SECURITY UPDATE: buffer overflows and OOB read",
                            "    - debian/patches/CVE-2026-42617_46572_56136.patch: Fix logic in",
                            "      include/ntfs-3g/index.h, libntfs-3g/attrib.c, libntfs-3g/index.c.",
                            "    - CVE-2026-42617",
                            "    - CVE-2026-46572",
                            "    - CVE-2026-56136",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_decompress()",
                            "    - debian/patches/CVE-2026-42618.patch: Fix logic in libntfs-3g/compress.c.",
                            "    - CVE-2026-42618",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_ib_copy_tail()",
                            "    - debian/patches/CVE-2026-46569.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46569",
                            "  * SECURITY UPDATE: heap buffer overflow in ntfs_index_walk_down()",
                            "    - debian/patches/CVE-2026-46570.patch: Fix logic in libntfs-3g/index.c.",
                            "    - CVE-2026-46570",
                            "  * SECURITY UPDATE: out-of-bounds read in ntfs_fix_file_name()",
                            "    - debian/patches/CVE-2026-46571.patch: Fix logic in libntfs-3g/reparse.c.",
                            "    - CVE-2026-46571",
                            "  * SECURITY UPDATE: heap-based overflow in function build_inherited_id()",
                            "    - debian/patches/CVE-2026-56135.patch: Fix logic in include/ntfs-3g/acls.h,",
                            "      libntfs-3g/acls.c, libntfs-3g/security.c.",
                            "    - CVE-2026-56135",
                            ""
                        ],
                        "package": "ntfs-3g",
                        "version": "1:2022.10.3-5ubuntu1.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Sat, 11 Jul 2026 11:55:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3-httplib2",
                "from_version": {
                    "source_package_name": "python-httplib2",
                    "source_package_version": "0.22.0-1build1",
                    "version": "0.22.0-1build1"
                },
                "to_version": {
                    "source_package_name": "python-httplib2",
                    "source_package_version": "0.22.0-1ubuntu0.1",
                    "version": "0.22.0-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59939",
                        "url": "https://ubuntu.com/security/CVE-2026-59939",
                        "cve_description": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-08 20:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59939",
                                "url": "https://ubuntu.com/security/CVE-2026-59939",
                                "cve_description": "httplib2 is a comprehensive HTTP client library for Python. Prior to 0.32.0, httplib2 performs unbounded decompression of HTTP response bodies encoded with Content-Encoding: gzip or deflate in _decompressContent in httplib2/init.py, allowing a malicious or compromised HTTP server to return a small compressed payload that expands to an arbitrarily large size in memory and causes MemoryError or OOM-kill in the client process. This issue is fixed in version 0.32.0.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-08 20:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: unbounded decompression of HTTP response bodies",
                            "    - debian/patches/CVE-2026-59939.patch: decompression limited by size and",
                            "      ratio; require python 3.8+ in README.md, python3/httplib2/__init__.py,",
                            "      python3/httplib2/decode.py, setup.cfg, tests/__init__.py,",
                            "      tests/test_encoding.py.",
                            "    - CVE-2026-59939",
                            ""
                        ],
                        "package": "python-httplib2",
                        "version": "0.22.0-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Fri, 10 Jul 2026 07:17:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "python3-idna",
                "from_version": {
                    "source_package_name": "python-idna",
                    "source_package_version": "3.11-1",
                    "version": "3.11-1"
                },
                "to_version": {
                    "source_package_name": "python-idna",
                    "source_package_version": "3.11-1ubuntu0.1",
                    "version": "3.11-1ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-45409",
                        "url": "https://ubuntu.com/security/CVE-2026-45409",
                        "cve_description": "Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `\"\\u0660\" * N` or `\"\\u30fb\" * N + \"\\u6f22\"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-05 23:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-45409",
                                "url": "https://ubuntu.com/security/CVE-2026-45409",
                                "cve_description": "Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `\"\\u0660\" * N` or `\"\\u30fb\" * N + \"\\u6f22\"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-05 23:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: DoS via specially crafted inputs to idna.encode()",
                            "    - debian/patches/CVE-2026-45409-1.patch: Reject oversized inputs up-front in",
                            "      idna/core.py, tests/test_idna.py.",
                            "    - debian/patches/CVE-2026-45409-2.patch: Use valid_string_length() for early",
                            "      oversized-input check in idna/core.py.",
                            "    - debian/patches/CVE-2026-45409-3.patch: Enforce early length limits in",
                            "      check_label in idna/core.py, tests/test_idna.py.",
                            "    - CVE-2026-45409",
                            ""
                        ],
                        "package": "python-idna",
                        "version": "3.11-1ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 14 Jul 2026 13:17:09 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-pro-client",
                "from_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu",
                    "version": "37.2ubuntu"
                },
                "to_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu0.1",
                    "version": "37.2ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-9494",
                        "url": "https://ubuntu.com/security/CVE-2026-9494",
                        "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11386",
                        "url": "https://ubuntu.com/security/CVE-2026-11386",
                        "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12391",
                        "url": "https://ubuntu.com/security/CVE-2026-12391",
                        "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-9494",
                                "url": "https://ubuntu.com/security/CVE-2026-9494",
                                "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11386",
                                "url": "https://ubuntu.com/security/CVE-2026-11386",
                                "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12391",
                                "url": "https://ubuntu.com/security/CVE-2026-12391",
                                "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Information disclosure",
                            "    - Remove credentials out of argv into apt's own auth.conf.d facility.",
                            "    - CVE-2026-9494",
                            "  * SECURITY UPDATE: Improper input validation",
                            "    - enforce StrictStringDataValue to applicable fields in directives",
                            "    - reject newline, carriage return, spaces, and shell meta characters ",
                            "      in StrictStringDataValue",
                            "    - CVE-2026-11386",
                            "  * SECURITY UPDATE: Symlink attack",
                            "    - reject symlink log files in user-controlled directory trees during ",
                            "      pro collect-logs",
                            "    - restrict pro collect-logs generated support archive permission to ",
                            "      root only",
                            "    - CVE-2026-12391",
                            ""
                        ],
                        "package": "ubuntu-advantage-tools",
                        "version": "37.2ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Eduardo Barretto <eduardo.barretto@canonical.com>",
                        "date": "Mon, 06 Jul 2026 11:33:39 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ubuntu-pro-client-l10n",
                "from_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu",
                    "version": "37.2ubuntu"
                },
                "to_version": {
                    "source_package_name": "ubuntu-advantage-tools",
                    "source_package_version": "37.2ubuntu0.1",
                    "version": "37.2ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-9494",
                        "url": "https://ubuntu.com/security/CVE-2026-9494",
                        "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11386",
                        "url": "https://ubuntu.com/security/CVE-2026-11386",
                        "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                        "cve_priority": "high",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-12391",
                        "url": "https://ubuntu.com/security/CVE-2026-12391",
                        "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-17 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-9494",
                                "url": "https://ubuntu.com/security/CVE-2026-9494",
                                "cve_description": "An information disclosure vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client validates Ubuntu Pro APT credentials by executing /usr/lib/apt/apt-helper using the download-file command. During this process, the secret bearer token is embedded directly in the cleartext URL component passed via the command-line arguments (argv), resulting in a URL format such as https://bearer:<token>@esm.ubuntu.com/.../. On systems utilizing a default-mounted /proc file system where process-hiding mitigations (such as hidepid) are disabled, an unprivileged local attacker can monitor system processes and read the sensitive bearer token directly from /proc/<pid>/cmdline while the helper process is actively running. This leaked token can subsequently be used to gain unauthorized access to the victim's Ubuntu Pro or Expanded Security Maintenance (ESM) repositories.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11386",
                                "url": "https://ubuntu.com/security/CVE-2026-11386",
                                "cve_description": "An input validation and injection vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools). The client constructs APT source files (such as /etc/apt/sources.list.d/ubuntu-<name>.list or their DEB822 equivalents) using data received directly from the contract server response via the directives.suites[] and directives.aptURL fields. Because the client utilizes Python's str.format() to write these files without performing escaping, validation, or newline character filtering, a malicious or tampered contract response containing embedded newline (\\n) characters can successfully inject arbitrary, attacker-controlled deb configuration lines into root-owned APT sources. When combined with the unvalidated additionalPackages[] field—which is passed positionally into a root-executed apt-get install command—an attacker capable of spoofing or manipulating the contract response (e.g., via a compromised internal infrastructure, an intercepted connection utilizing a trusted CA, or local logical bugs) can force the client to fetch and install malicious packages. This ultimately leads to arbitrary code execution with root privileges on the affected system. This component is preinstalled on supported Ubuntu Server releases and auto-attaches by default on cloud provider Ubuntu Pro images.",
                                "cve_priority": "high",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-12391",
                                "url": "https://ubuntu.com/security/CVE-2026-12391",
                                "cve_description": "An insecure symlink following vulnerability exists in Canonical ubuntu-pro-client (formerly ubuntu-advantage-tools) within the pro collect-logs command framework. The utility creates or utilizes predictable temporary file paths or user-accessible log directories when gathering diagnostic information without verifying the file type or ownership. An unprivileged local attacker can exploit this behavior by creating a symbolic link (symlink) at a predictable destination path pointing to an arbitrary, root-readable file (such as /etc/shadow or private files within /root). When a root administrator or operator subsequently executes the pro collect-logs command, the tool follows the user-controlled symlink, reads the target file, and compresses its contents into the resulting diagnostic support archive. Because the output archive remains readable by the unprivileged user, the attacker can extract and read the sensitive root-owned files, leading to a complete information disclosure of system secrets.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-17 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Information disclosure",
                            "    - Remove credentials out of argv into apt's own auth.conf.d facility.",
                            "    - CVE-2026-9494",
                            "  * SECURITY UPDATE: Improper input validation",
                            "    - enforce StrictStringDataValue to applicable fields in directives",
                            "    - reject newline, carriage return, spaces, and shell meta characters ",
                            "      in StrictStringDataValue",
                            "    - CVE-2026-11386",
                            "  * SECURITY UPDATE: Symlink attack",
                            "    - reject symlink log files in user-controlled directory trees during ",
                            "      pro collect-logs",
                            "    - restrict pro collect-logs generated support archive permission to ",
                            "      root only",
                            "    - CVE-2026-12391",
                            ""
                        ],
                        "package": "ubuntu-advantage-tools",
                        "version": "37.2ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Eduardo Barretto <eduardo.barretto@canonical.com>",
                        "date": "Mon, 06 Jul 2026 11:33:39 +0200"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-common",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-runtime",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-tiny",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "wget",
                "from_version": {
                    "source_package_name": "wget",
                    "source_package_version": "1.25.0-2ubuntu4",
                    "version": "1.25.0-2ubuntu4"
                },
                "to_version": {
                    "source_package_name": "wget",
                    "source_package_version": "1.25.0-2ubuntu4.2",
                    "version": "1.25.0-2ubuntu4.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-58469",
                        "url": "https://ubuntu.com/security/CVE-2026-58469",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-58470",
                        "url": "https://ubuntu.com/security/CVE-2026-58470",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-58471",
                        "url": "https://ubuntu.com/security/CVE-2026-58471",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-58472",
                        "url": "https://ubuntu.com/security/CVE-2026-58472",
                        "cve_description": "GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-07 21:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-58469",
                                "url": "https://ubuntu.com/security/CVE-2026-58469",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit 37a40fc, contains a heap buffer underread vulnerability in the clean_metalink_string() function within src/metalink.c that allows a malicious server to trigger memory corruption by serving a Metalink document containing a whitespace-only URL. Attackers can cause the function to decrement a pointer past the start of the buffer when processing an all-whitespace Metalink URL, potentially leading to abnormal program behavior.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-58470",
                                "url": "https://ubuntu.com/security/CVE-2026-58470",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit 43d3ba9, contains an integer overflow vulnerability in the parse_content_range() function within src/http.c that allows server-controlled values to cause signed integer arithmetic to overflow. Attackers can supply malicious Content-Range header values to trigger undefined behavior and download desynchronization in the affected client.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-58471",
                                "url": "https://ubuntu.com/security/CVE-2026-58471",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit c2640fe, contains a heap buffer overflow vulnerability in the convert_fname() function within src/url.c that allows remote attackers to trigger memory corruption through a server-supplied filename requiring character set conversion. When the output buffer is too small during iconv E2BIG reallocation, the reallocation logic miscalculates the remaining space, leading to a heap buffer overflow that can be exploited via a maliciously crafted server response.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-58472",
                                "url": "https://ubuntu.com/security/CVE-2026-58472",
                                "cve_description": "GNU Wget through 1.25.0, fixed in commit dd692d9, contains a heap buffer overflow vulnerability in the html_quote_string() function in src/convert.c that allows a remote attacker to trigger memory corruption by supplying a crafted HTML attribute with a large number of characters requiring entity encoding. A server-supplied HTML attribute causes a signed integer counter to overflow during output size accumulation, resulting in an undersized heap allocation and subsequent heap buffer overflow during the copy phase.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-07 21:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Buffer overflow in metalink.",
                            "    - debian/patches/CVE-2026-58469.patch: Fix buffer overflow in",
                            "      src/metalink.c",
                            "    - CVE-2026-58469",
                            "  * SECURITY UPDATE: Integer overflow in http",
                            "    - debian/patches/CVE-2026-58470.patch: Fix integer overflow in src/http.c",
                            "    - CVE-2026-58470",
                            "  * SECURITY UPDATE: Buffer overflow in convert_fname.",
                            "    - debian/patches/CVE-2026-58471.patch: Fix buffer overflow in src/url.c",
                            "    - CVE-2026-58471",
                            "  * SECURITY UPDATE: Integer and buffer overflow in html_quote_string.",
                            "    - debian/patches/CVE-2026-58472.patch: Fix integer+buffer overflow in",
                            "      src/convert.c",
                            "    - CVE-2026-58472",
                            ""
                        ],
                        "package": "wget",
                        "version": "1.25.0-2ubuntu4.2",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Fri, 10 Jul 2026 15:58:26 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "xxd",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.6",
                    "version": "2:9.1.2141-1ubuntu4.6"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:9.1.2141-1ubuntu4.7",
                    "version": "2:9.1.2141-1ubuntu4.7"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-59856",
                        "url": "https://ubuntu.com/security/CVE-2026-59856",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59857",
                        "url": "https://ubuntu.com/security/CVE-2026-59857",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-59858",
                        "url": "https://ubuntu.com/security/CVE-2026-59858",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-07-09 23:17:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-59856",
                                "url": "https://ubuntu.com/security/CVE-2026-59856",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0736, the PHP omni-completion script in runtime/autoload/phpcomplete.vim interpolates a class or trait name, taken from the contents of the edited buffer, into a search() pattern that is run via win_execute() without escaping. A name containing a single quote can terminate the search() string argument early, and because the bar is honored as an Ex command separator, the remainder of the name is run as Ex commands; via the :! command this allows arbitrary operating-system command execution when a victim opens a crafted PHP file and invokes omni-completion. This issue is fixed in version 9.2.0736.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59857",
                                "url": "https://ubuntu.com/security/CVE-2026-59857",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-59858",
                                "url": "https://ubuntu.com/security/CVE-2026-59858",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honors the bar as a command separator, a crafted tag field can close the search pattern and append an arbitrary Ex command; opening a hostile .c file whose project tags file contains such an entry and invoking C omni-completion runs that command as the editing user. This issue is fixed in version 9.2.0735.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-07-09 23:17:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Command execution in PHP omni-completion.",
                            "    - debian/patches/CVE-2026-59856.patch: Quote the class name before",
                            "      inserting it into the search() in runtime/autoload/phpcomplete.vim",
                            "    - CVE-2026-59856",
                            "  * SECURITY UPDATE: Stack out-of-bounds write in spell_soundfold_sal().",
                            "    - debian/patches/CVE-2026-59857.patch: Bound the single-byte SAL result",
                            "      writes in src/spell.c",
                            "    - CVE-2026-59857",
                            "  * SECURITY UPDATE: Arbitrary command execution during C omni-completion.",
                            "    - debian/patches/CVE-2026-59858.patch: Escape the type field before",
                            "      inserting it into pattern in runtime/autoload/ccomplete.vim",
                            "    - CVE-2026-59858",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:9.1.2141-1ubuntu4.7",
                        "urgency": "medium",
                        "distributions": "resolute-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 13 Jul 2026 11:06:53 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 26.04 resolute image from release image serial 20260713 to 20260716",
    "from_series": "resolute",
    "to_series": "resolute",
    "from_serial": "20260713",
    "to_serial": "20260716",
    "from_manifest_filename": "release_manifest.previous",
    "to_manifest_filename": "manifest.current"
}