{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": [
                "snapd"
            ]
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "curl",
                "iproute2",
                "libcurl3-gnutls:s390x",
                "libcurl4:s390x",
                "libncurses6:s390x",
                "libncursesw6:s390x",
                "libnghttp2-14:s390x",
                "libnss3:s390x",
                "libsqlite3-0:s390x",
                "libtinfo6:s390x",
                "ncurses-base",
                "ncurses-bin",
                "ncurses-term",
                "vim",
                "vim-common",
                "vim-runtime",
                "vim-tiny",
                "xxd"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "curl",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.24",
                    "version": "7.81.0-1ubuntu1.24"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.25",
                    "version": "7.81.0-1ubuntu1.25"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - CVE-2026-8927",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "7.81.0-1ubuntu1.25",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 29 Jun 2026 11:21:28 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "iproute2",
                "from_version": {
                    "source_package_name": "iproute2",
                    "source_package_version": "5.15.0-1ubuntu2.1",
                    "version": "5.15.0-1ubuntu2.1"
                },
                "to_version": {
                    "source_package_name": "iproute2",
                    "source_package_version": "5.15.0-1ubuntu2.2",
                    "version": "5.15.0-1ubuntu2.2"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2147525
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * Modify tc/tbf and tc/htb to allow 64 bit burst parameter (LP: #2147525)",
                            "    - /d/p/lp2147525-1-tc-tbf-enable-64-bit-burst.patch",
                            "    - /d/p/lp2147525-2-tc-htb-enable-64-bit-burst.patch",
                            ""
                        ],
                        "package": "iproute2",
                        "version": "5.15.0-1ubuntu2.2",
                        "urgency": "medium",
                        "distributions": "jammy",
                        "launchpad_bugs_fixed": [
                            2147525
                        ],
                        "author": "Ioana Lazea <ioana.lazea@canonical.com>",
                        "date": "Wed, 15 Apr 2026 10:15:26 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libcurl3-gnutls:s390x",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.24",
                    "version": "7.81.0-1ubuntu1.24"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.25",
                    "version": "7.81.0-1ubuntu1.25"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - CVE-2026-8927",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "7.81.0-1ubuntu1.25",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 29 Jun 2026 11:21:28 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libcurl4:s390x",
                "from_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.24",
                    "version": "7.81.0-1ubuntu1.24"
                },
                "to_version": {
                    "source_package_name": "curl",
                    "source_package_version": "7.81.0-1ubuntu1.25",
                    "version": "7.81.0-1ubuntu1.25"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-8286",
                        "url": "https://ubuntu.com/security/CVE-2026-8286",
                        "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8458",
                        "url": "https://ubuntu.com/security/CVE-2026-8458",
                        "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8924",
                        "url": "https://ubuntu.com/security/CVE-2026-8924",
                        "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8925",
                        "url": "https://ubuntu.com/security/CVE-2026-8925",
                        "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8927",
                        "url": "https://ubuntu.com/security/CVE-2026-8927",
                        "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-9547",
                        "url": "https://ubuntu.com/security/CVE-2026-9547",
                        "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-06-24 14:00:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-8286",
                                "url": "https://ubuntu.com/security/CVE-2026-8286",
                                "cve_description": "A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8458",
                                "url": "https://ubuntu.com/security/CVE-2026-8458",
                                "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different \"services\". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8924",
                                "url": "https://ubuntu.com/security/CVE-2026-8924",
                                "cve_description": "A flaw in curl's cookie parsing logic allows a malicious HTTP server to set \"super cookies\" that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl will subsequently scope and transmit to unrelated third-party domains.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8925",
                                "url": "https://ubuntu.com/security/CVE-2026-8925",
                                "cve_description": "The curl logic that works with SASL authentication could end up cleaning up the GSASL context *twice* without clearing the pointer in between, making it `free()` the same pointer twice.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8927",
                                "url": "https://ubuntu.com/security/CVE-2026-8927",
                                "cve_description": "When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-9547",
                                "url": "https://ubuntu.com/security/CVE-2026-9547",
                                "cve_description": "When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-06-24 14:00:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Connection reuse for starttls protocols.",
                            "    - debian/patches/CVE-2026-8286.patch: When a connection is tested for",
                            "      reuse in a transfer that may upgrade to TLS (commonly via STARTTLS),",
                            "      the SSL configuration must match the existing connection in lib/url.c",
                            "    - CVE-2026-8286",
                            "  * SECURITY UPDATE: Connection reuse in SASL.",
                            "    - debian/patches/CVE-2026-8458.patch: Fix erroneous connection reuse in",
                            "      in lib/curl_sasl.c, lib/http_negotiate.c, lib/http_ntlm.c, lib/imap.c,",
                            "      lib/openldap.c, and lib/pop3.c",
                            "    - CVE-2026-8458",
                            "  * SECURITY UPDATE: Cookie injection in is_public_suffix.",
                            "    - debian/patches/CVE-2026-8924.patch: Trim trailing dots when checking",
                            "      PSL in lib/cookie.c.",
                            "    - CVE-2026-8924",
                            "  * SECURITY UPDATE: Double-free in gsasl.",
                            "    - debian/patches/CVE-2026-8925.patch: Require libgasl 1.6.0 to handle",
                            "      NULL argument in lib/vauth/gsasl.c.",
                            "    - CVE-2026-8925",
                            "  * SECURITY UPDATE: Information disclosure in libcurl",
                            "    - debian/patches/CVE-2026-8927.patch: Detect if proxy is not the same as",
                            "      previous and flush state in lib/url.c and lib/urldata.h.",
                            "    - CVE-2026-8927",
                            "  * SECURITY UPDATE: Man-in-the-middle in libcurl.",
                            "    - debian/patches/CVE-2026-9547.patch: Reject host key mismatches in",
                            "      in lib/vssh/libssh.c",
                            "    - CVE-2026-9547",
                            ""
                        ],
                        "package": "curl",
                        "version": "7.81.0-1ubuntu1.25",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Mon, 29 Jun 2026 11:21:28 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libncurses6:s390x",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libncursesw6:s390x",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnghttp2-14:s390x",
                "from_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.43.0-1ubuntu0.3",
                    "version": "1.43.0-1ubuntu0.3"
                },
                "to_version": {
                    "source_package_name": "nghttp2",
                    "source_package_version": "1.43.0-1ubuntu0.4",
                    "version": "1.43.0-1ubuntu0.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-58055",
                        "url": "https://ubuntu.com/security/CVE-2026-58055",
                        "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-28 02:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-58055",
                                "url": "https://ubuntu.com/security/CVE-2026-58055",
                                "cve_description": "nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting ambiguous message in the attacker's favor enables HTTP request/response smuggling and cross-client response-queue poisoning.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-28 02:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: HTTP request/response smuggling issue",
                            "    - debian/patches/CVE-2026-58055-pre1.patch: nghttpx: Remove trailing white",
                            "      spaces from HTTP/1.1 fields in src/shrpx-unittest.cc,",
                            "      src/shrpx_downstream.h, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_https_upstream.cc, src/util.cc, src/util.h, src/util_test.cc,",
                            "      src/util_test.h.",
                            "    - debian/patches/CVE-2026-58055-pre2.patch: nghttpx: Stricter transfer-",
                            "      encoding checks in integration-tests/nghttpx_http1_test.go, src/http2.cc,",
                            "      src/http2.h, src/http2_test.cc, src/http2_test.h, src/shrpx-unittest.cc,",
                            "      src/shrpx_downstream.cc, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_https_upstream.cc.",
                            "    - debian/patches/CVE-2026-58055.patch: nghttpx: Tighten up CONNECT and HTTP",
                            "      Upgrade handling in src/shrpx_downstream.cc, src/shrpx_downstream.h,",
                            "      src/shrpx_http2_upstream.cc, src/shrpx_http_downstream_connection.cc,",
                            "      src/shrpx_http_downstream_connection.h, src/shrpx_https_upstream.cc.",
                            "    - CVE-2026-58055",
                            ""
                        ],
                        "package": "nghttp2",
                        "version": "1.43.0-1ubuntu0.4",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 30 Jun 2026 13:21:48 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libnss3:s390x",
                "from_version": {
                    "source_package_name": "nss",
                    "source_package_version": "2:3.98-0ubuntu0.22.04.3",
                    "version": "2:3.98-0ubuntu0.22.04.3"
                },
                "to_version": {
                    "source_package_name": "nss",
                    "source_package_version": "2:3.98-0ubuntu0.22.04.4",
                    "version": "2:3.98-0ubuntu0.22.04.4"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-12318",
                        "url": "https://ubuntu.com/security/CVE-2026-12318",
                        "cve_description": "Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-16 13:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-12318",
                                "url": "https://ubuntu.com/security/CVE-2026-12318",
                                "cve_description": "Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 152 and Thunderbird 152.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-16 13:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: OOB read in pk11uri_ParseAttributes",
                            "    - debian/patches/CVE-2026-12318.patch: improve handling of escape",
                            "      sequences in nss/lib/util/pkcs11uri.c.",
                            "    - CVE-2026-12318",
                            ""
                        ],
                        "package": "nss",
                        "version": "2:3.98-0ubuntu0.22.04.4",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Thu, 18 Jun 2026 07:26:25 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libsqlite3-0:s390x",
                "from_version": {
                    "source_package_name": "sqlite3",
                    "source_package_version": "3.37.2-2ubuntu0.5",
                    "version": "3.37.2-2ubuntu0.5"
                },
                "to_version": {
                    "source_package_name": "sqlite3",
                    "source_package_version": "3.37.2-2ubuntu0.6",
                    "version": "3.37.2-2ubuntu0.6"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-11822",
                        "url": "https://ubuntu.com/security/CVE-2026-11822",
                        "cve_description": "SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 20:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-11824",
                        "url": "https://ubuntu.com/security/CVE-2026-11824",
                        "cve_description": "SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-09 20:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-11822",
                                "url": "https://ubuntu.com/security/CVE-2026-11822",
                                "cve_description": "SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 20:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-11824",
                                "url": "https://ubuntu.com/security/CVE-2026-11824",
                                "cve_description": "SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-09 20:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: security issues in FTS5 full-text search",
                            "    - debian/patches/CVE-2026-11822_4.patch: Fix logic in ext/fts5/fts5_index.c.",
                            "    - CVE-2026-11822",
                            "    - CVE-2026-11824",
                            ""
                        ],
                        "package": "sqlite3",
                        "version": "3.37.2-2ubuntu0.6",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 16 Jun 2026 13:53:33 -0400"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "libtinfo6:s390x",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ncurses-base",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ncurses-bin",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "ncurses-term",
                "from_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.1",
                    "version": "6.3-2ubuntu0.1"
                },
                "to_version": {
                    "source_package_name": "ncurses",
                    "source_package_version": "6.3-2ubuntu0.2",
                    "version": "6.3-2ubuntu0.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-69720",
                        "url": "https://ubuntu.com/security/CVE-2025-69720",
                        "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                        "cve_priority": "low",
                        "cve_public_date": "2026-03-19 15:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-69720",
                                "url": "https://ubuntu.com/security/CVE-2025-69720",
                                "cve_description": "The infocmp command-line tool in ncurses before 6.5-20251213 has a stack-based buffer overflow in analyze_string in progs/infocmp.c.",
                                "cve_priority": "low",
                                "cve_public_date": "2026-03-19 15:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: stack-based buffer overflow in infocmp",
                            "    - debian/patches/CVE-2025-69720.patch: clamp length to",
                            "      MAX_TERMINFO_LENGTH before copying into buf2 in analyze_string.",
                            "    - CVE-2025-69720",
                            ""
                        ],
                        "package": "ncurses",
                        "version": "6.3-2ubuntu0.2",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
                        "date": "Tue, 30 Jun 2026 21:25:30 +0000"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-common",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-runtime",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "vim-tiny",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "xxd",
                "from_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.32",
                    "version": "2:8.2.3995-1ubuntu2.32"
                },
                "to_version": {
                    "source_package_name": "vim",
                    "source_package_version": "2:8.2.3995-1ubuntu2.33",
                    "version": "2:8.2.3995-1ubuntu2.33"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-35177",
                        "url": "https://ubuntu.com/security/CVE-2026-35177",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 18:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55693",
                        "url": "https://ubuntu.com/security/CVE-2026-55693",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55892",
                        "url": "https://ubuntu.com/security/CVE-2026-55892",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-55895",
                        "url": "https://ubuntu.com/security/CVE-2026-55895",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57452",
                        "url": "https://ubuntu.com/security/CVE-2026-57452",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57455",
                        "url": "https://ubuntu.com/security/CVE-2026-57455",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-57456",
                        "url": "https://ubuntu.com/security/CVE-2026-57456",
                        "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-06-25 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-35177",
                                "url": "https://ubuntu.com/security/CVE-2026-35177",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 18:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55693",
                                "url": "https://ubuntu.com/security/CVE-2026-55693",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55892",
                                "url": "https://ubuntu.com/security/CVE-2026-55892",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-55895",
                                "url": "https://ubuntu.com/security/CVE-2026-55895",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile() in the netrw plugin (runtime/pack/dist/opt/netrw/autoload/netrw.vim) when deleting a local file from the browser. A filename derived from the buffer's directory listing is interpolated into an Ex command line passed to :execute with only the backslash character escaped, allowing a crafted filename containing a bar (|) to terminate the intended command and execute arbitrary Vimscript, including shell commands via :call system() and :!. This vulnerability is fixed in 9.2.0663.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57452",
                                "url": "https://ubuntu.com/security/CVE-2026-57452",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57455",
                                "url": "https://ubuntu.com/security/CVE-2026-57455",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-57456",
                                "url": "https://ubuntu.com/security/CVE-2026-57456",
                                "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-06-25 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: Path Traversal in zip.vim",
                            "    - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before",
                            "      writing in runtime/autoload/zip.vim",
                            "    - CVE-2026-35177",
                            "  * SECURITY UPDATE: Out-of-bounds write.",
                            "    - debian/patches/CVE-2026-55693.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spellfile.c.",
                            "    - debian/patches/CVE-2026-55892.patch: only descend while",
                            "      depth < MAXWLEN - 1 in src/spell.c.",
                            "    - CVE-2026-55693",
                            "    - CVE-2026-55892",
                            "  * SECURITY UPDATE: Code injection in local file deletion.",
                            "    - debian/patches/CVE-2026-55895.patch: Use fnameescape() to escape",
                            "      file name in runtime/autoload/netrw.vim.",
                            "    - CVE-2026-55895",
                            "  * SECURITY UPDATE: Out-of-bounds read with sodium encrypted files.",
                            "    - debian/patches/CVE-2026-57452.patch: Verify that there is enough space",
                            "      before function call in src/crypt.c.",
                            "    - CVE-2026-57452",
                            "  * SECURITY UPDATE: Out-of-bounds write with soundfold().",
                            "    - debian/patches/CVE-2026-57455.patch: Add an abort condition to validate",
                            "      buffer in src/spell.c.",
                            "    - CVE-2026-57455",
                            "  * SECURITY UPDATE: Code execution with python complete.",
                            "    - debian/patches/CVE-2026-57456.patch: Use repr() to quote the doc strings",
                            "      in runtime/autoload/python3complete.vim and ../pythoncomplete.vim.",
                            "    - CVE-2026-57456",
                            ""
                        ],
                        "package": "vim",
                        "version": "2:8.2.3995-1ubuntu2.33",
                        "urgency": "medium",
                        "distributions": "jammy-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Kyle Kernick <kyle.kernick@canonical.com>",
                        "date": "Tue, 30 Jun 2026 11:46:22 -0600"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": [
            {
                "name": "snapd",
                "from_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": "26866"
                },
                "to_version": {
                    "source_package_name": null,
                    "source_package_version": null,
                    "version": "27405"
                }
            }
        ]
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 22.04 jammy image from release image serial 20260627 to 20260705",
    "from_series": "jammy",
    "to_series": "jammy",
    "from_serial": "20260627",
    "to_serial": "20260705",
    "from_manifest_filename": "release_manifest.previous",
    "to_manifest_filename": "manifest.current"
}