|
|
Log in / Subscribe / Register

Ubuntu alert USN-8063-2 (protobuf)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8063-2] Protocol Buffers vulnerability


Date:
              Tue, 26 May 2026 21:05:54 +0000


Message-ID:
              <E1wRyyI-0007DJ-3Z@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8063-2
May 26, 2026

protobuf vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Protocol Buffers could be made to consume resources if it received
specially crafted input.

Software Description:
- protobuf: protocol buffers data serialization library

Details:

USN-8063-1 fixed a vulnerability in Protocol Buffers. This update provides
the corresponding update for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

Original advisory details:

 It was discovered that Protocol Buffers incorrectly handled recursion
 when the Python google.protobuf.json_format.ParseDict() function is  being
 used. An attacker could possibly use this issue to cause  Protocol Buffers
 to consume resources, resulting in a denial of  service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.04 LTS
  libprotobuf17                   3.6.1.3-2ubuntu5.2+esm3
                                  Available with Ubuntu Pro
  python-protobuf                 3.6.1.3-2ubuntu5.2+esm3
                                  Available with Ubuntu Pro
  python3-protobuf                3.6.1.3-2ubuntu5.2+esm3
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libprotobuf10                   3.0.0-9.1ubuntu1.1+esm4
                                  Available with Ubuntu Pro
  python-protobuf                 3.0.0-9.1ubuntu1.1+esm4
                                  Available with Ubuntu Pro
  python3-protobuf                3.0.0-9.1ubuntu1.1+esm4
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8063-2
  https://ubuntu.com/security/notices/USN-8063-1
  CVE-2026-0994




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoWCSAACgkQcpJm3tlz
hgFnGhAAp2RFrr9K76/JcpIjBnOORlssG3lSHElHrasD1f/rpsADuJjVzKO17JPE
8e9N0EsVG7Rcx90Qtlz+h0EZcZtLFe8Bc9L/rgMi6i5iZoZIBBCsooz/gLz1BMJ6
xA268sJBZu4ClCEnl4LybcnsMv8PmhTJuO6iap1BDTIOEPcQ2IDe6zpr7J5v+WS5
EyVC5B6yEP9KBUU+l7ZmeWnr4xh8i38JOh1YFCyl1QK7+u86SP6R9v2z6GFW+UVd
W0pPlHLdXtH0xZqeA7vDQ6tmTHKk/F1J4MwjWpITWRKBoqyFJLyS4+5N5Rdhp1Xr
3IfJvJpXZYVQnqky8oWKdfBF4AGil8gZ6sKYElkUXn8FUA8zXcWFhzrS34RBlBBk
3IDwveVRNKpWKY+SDtBglBuojtyUgdg1loQvs2PM1b15Piz2rN7xmy0zxhVgTg2O
G/A8mpPIKfBmtn0I+qEUGDeFcl4RVlCiE8jYw4rntTmLw2QFrquc6+MMZapgGiu8
TfY7vvSzjvO6+FOfz+LHRUY+k88NIydwIuudJv6kUOweP/sebzQDp8PRPAdIXkea
DtYZdrlvFKkBsopoz6HDQmMbgKpy1JsYEBtSzSTlQzetHt2QeeLCopiIt4OIAvyL
aB/w7Z4oLSslXoxACx7wHQBpca2PAoeZV7kVCnt6WUajw1sKiXc=
=x/wM
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds