{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "libpng16-16t64", "python3-urllib3" ] } }, "diff": { "deb": [ { "name": "libpng16-16t64", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.43-5ubuntu0.1", "version": "1.6.43-5ubuntu0.1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.43-5ubuntu0.3", "version": "1.6.43-5ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-66293", "url": "https://ubuntu.com/security/CVE-2025-66293", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.", "cve_priority": "medium", "cve_public_date": "2025-12-03 21:15:00 UTC" }, { "cve": "CVE-2026-22695", "url": "https://ubuntu.com/security/CVE-2026-22695", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" }, { "cve": "CVE-2026-22801", "url": "https://ubuntu.com/security/CVE-2026-22801", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-66293", "url": "https://ubuntu.com/security/CVE-2025-66293", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.", "cve_priority": "medium", "cve_public_date": "2025-12-03 21:15:00 UTC" }, { "cve": "CVE-2026-22695", "url": "https://ubuntu.com/security/CVE-2026-22695", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" }, { "cve": "CVE-2026-22801", "url": "https://ubuntu.com/security/CVE-2026-22801", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB in png_image_read_composite", " - debian/patches/CVE-2025-66293-1.patch: validate component size in", " pngread.c.", " - debian/patches/CVE-2025-66293-2.patch: improve fix in pngread.c.", " - CVE-2025-66293", " * SECURITY UPDATE: Heap buffer over-read in png_image_read_direct_scaled", " - debian/patches/CVE-2026-22695.patch: fix memcpy size in pngread.c.", " - CVE-2026-22695", " * SECURITY UPDATE: Integer truncation causing heap buffer over-read", " - debian/patches/CVE-2026-22801.patch: remove incorrect truncation", " casts in CMakeLists.txt, contrib/libtests/pngstest.c, pngwrite.c,", " tests/pngstest-large-stride.", " - CVE-2026-22801", "" ], "package": "libpng1.6", "version": "1.6.43-5ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 12 Jan 2026 13:14:03 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.5", "version": "2.0.7-1ubuntu0.5" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.6", "version": "2.0.7-1ubuntu0.6" }, "cves": [ { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2136906 ], "changes": [ { "cves": [ { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Zstandard missing attribute after CVE-2025-66471 fix.", " (LP: #2136906)", " - debian/patches/CVE-2025-66471-fix2.patch: Fall back if \"needs_input\" is", " not a zstd object attribute in src/urllib3/response.py.", "" ], "package": "python-urllib3", "version": "2.0.7-1ubuntu0.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2136906 ], "author": "Hlib Korzhynskyy ", "date": "Tue, 13 Jan 2026 09:34:51 -0330" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from daily image serial 20260113 to 20260118", "from_series": "noble", "to_series": "noble", "from_serial": "20260113", "to_serial": "20260118", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }