{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "cloud-init", "cloud-init-base", "curl", "libcurl3t64-gnutls:armhf", "libcurl4t64:armhf", "libgnutls30t64:armhf", "libpng16-16t64:armhf", "systemd-hwe-hwdb", "wireless-regdb" ] } }, "diff": { "deb": [ { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.3~2g890873f5-0ubuntu2", "version": "25.3~2g890873f5-0ubuntu2" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.3-0ubuntu1~25.10.1", "version": "25.3-0ubuntu1~25.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2131604, 2127022, 2127022 ], "changes": [ { "cves": [], "log": [ "", " * d/p/deprecation-version-boundary.patch: Pin deprecation version to 25.3", " * Upstream snapshot based on 25.3. (LP: #2131604).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.3/ChangeLog", "" ], "package": "cloud-init", "version": "25.3-0ubuntu1~25.10.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2131604 ], "author": "Chad Smith ", "date": "Thu, 11 Dec 2025 11:36:31 -0700" }, { "cves": [], "log": [ "", " * d/cloud-init-base.config: update migrate_debconf_settings to", " set an empty cloud-init/datasources value once it migrates the value to", " cloud-init-base/datasources. (LP: #2127022)", " * d/cloud-init-base.postinst: fix release upgrade affecting the set of", " multi-line debconf value cloud-init/local-cloud-config used by MAAS.", " (LP: #2127022)", "" ], "package": "cloud-init", "version": "25.3~2g890873f5-0ubuntu3", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2127022, 2127022 ], "author": "Chad Smith ", "date": "Mon, 27 Oct 2025 13:48:39 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init-base", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.3~2g890873f5-0ubuntu2", "version": "25.3~2g890873f5-0ubuntu2" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "25.3-0ubuntu1~25.10.1", "version": "25.3-0ubuntu1~25.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2131604, 2127022, 2127022 ], "changes": [ { "cves": [], "log": [ "", " * d/p/deprecation-version-boundary.patch: Pin deprecation version to 25.3", " * Upstream snapshot based on 25.3. (LP: #2131604).", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/25.3/ChangeLog", "" ], "package": "cloud-init", "version": "25.3-0ubuntu1~25.10.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2131604 ], "author": "Chad Smith ", "date": "Thu, 11 Dec 2025 11:36:31 -0700" }, { "cves": [], "log": [ "", " * d/cloud-init-base.config: update migrate_debconf_settings to", " set an empty cloud-init/datasources value once it migrates the value to", " cloud-init-base/datasources. (LP: #2127022)", " * d/cloud-init-base.postinst: fix release upgrade affecting the set of", " multi-line debconf value cloud-init/local-cloud-config used by MAAS.", " (LP: #2127022)", "" ], "package": "cloud-init", "version": "25.3~2g890873f5-0ubuntu3", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2127022, 2127022 ], "author": "Chad Smith ", "date": "Mon, 27 Oct 2025 13:48:39 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1", "version": "8.14.1-2ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.1", "version": "8.14.1-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: cookie path out-of-bounds read", " - debian/patches/CVE-2025-9086.patch: don't treat the", " leading slash as trailing in lib/cookie.c", " - CVE-2025-9086", " * SECURITY UPDATE: predictable websocket frame mask", " - debian/patches/CVE-2025-10148.patch: get a new mask for each", " new outgoing frame in lib/ws.c", " - CVE-2025-10148", " * SECURITY UPDATE: wcurl output file directory escape", " - debian/patches/CVE-2025-11563.patch: dont percent-decode", " '/' or '\\' in output file name in scripts/wcurl.c", " - CVE-2025-11563", " * SECURITY UPDATE: No QUIC certificate pinning with GnuTLS", " - debian/patches/CVE-2025-13034.patch: call Curl_gtls_verifyserver", " unconditionally in lib/vquic/vquic-tls.c.", " - CVE-2025-13034", " * SECURITY UPDATE: multi-threaded TSL options leak", " - debian/patches/CVE-2025-14017.patch: call ldap_init() before", " setting the options in lib/ldap.c", " - CVE-2025-14017", " * SECURITY UPDATE: bearer token leak on cross-protocol redirect", " - debian/patches/CVE-2025-14524.patch: if redirected,", " require permission to use bearer in lib/curl_sasl.c", " - CVE-2025-14524", " * SECURITY UPDATE: OpenSSL partial chain store policy bypass", " - debian/patches/CVE-2025-14819.patch: toggling", " CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in", " lib/vtls/openssl.c.", " - CVE-2025-14819", "" ], "package": "curl", "version": "8.14.1-2ubuntu1.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Elise Hlady ", "date": "Tue, 17 Feb 2026 15:07:06 -0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl3t64-gnutls:armhf", "from_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1", "version": "8.14.1-2ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.1", "version": "8.14.1-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: cookie path out-of-bounds read", " - debian/patches/CVE-2025-9086.patch: don't treat the", " leading slash as trailing in lib/cookie.c", " - CVE-2025-9086", " * SECURITY UPDATE: predictable websocket frame mask", " - debian/patches/CVE-2025-10148.patch: get a new mask for each", " new outgoing frame in lib/ws.c", " - CVE-2025-10148", " * SECURITY UPDATE: wcurl output file directory escape", " - debian/patches/CVE-2025-11563.patch: dont percent-decode", " '/' or '\\' in output file name in scripts/wcurl.c", " - CVE-2025-11563", " * SECURITY UPDATE: No QUIC certificate pinning with GnuTLS", " - debian/patches/CVE-2025-13034.patch: call Curl_gtls_verifyserver", " unconditionally in lib/vquic/vquic-tls.c.", " - CVE-2025-13034", " * SECURITY UPDATE: multi-threaded TSL options leak", " - debian/patches/CVE-2025-14017.patch: call ldap_init() before", " setting the options in lib/ldap.c", " - CVE-2025-14017", " * SECURITY UPDATE: bearer token leak on cross-protocol redirect", " - debian/patches/CVE-2025-14524.patch: if redirected,", " require permission to use bearer in lib/curl_sasl.c", " - CVE-2025-14524", " * SECURITY UPDATE: OpenSSL partial chain store policy bypass", " - debian/patches/CVE-2025-14819.patch: toggling", " CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in", " lib/vtls/openssl.c.", " - CVE-2025-14819", "" ], "package": "curl", "version": "8.14.1-2ubuntu1.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Elise Hlady ", "date": "Tue, 17 Feb 2026 15:07:06 -0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4t64:armhf", "from_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1", "version": "8.14.1-2ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.14.1-2ubuntu1.1", "version": "8.14.1-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-9086", "url": "https://ubuntu.com/security/CVE-2025-9086", "cve_description": "1. A cookie is set using the `secure` keyword for `https://target` 2. curl is redirected to or otherwise made to speak with `http://target` (same hostname, but using clear text HTTP) using the same cookie set 3. The same cookie name is set - but with just a slash as path (`path=\\\"/\\\",`). Since this site is not secure, the cookie *should* just be ignored. 4. A bug in the path comparison logic makes curl read outside a heap buffer boundary The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path. The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-10148", "url": "https://ubuntu.com/security/CVE-2025-10148", "cve_description": "curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection. A predictable mask pattern allows for a malicious server to induce traffic between the two communicating parties that could be interpreted by an involved proxy (configured or transparent) as genuine, real, HTTP traffic with content and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.", "cve_priority": "low", "cve_public_date": "2025-09-12 06:15:00 UTC" }, { "cve": "CVE-2025-11563", "url": "https://ubuntu.com/security/CVE-2025-11563", "cve_description": "URLs containing percent-encoded slashes (`/` or `\\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool.", "cve_priority": "medium", "cve_public_date": "2026-02-25 08:16:00 UTC" }, { "cve": "CVE-2025-13034", "url": "https://ubuntu.com/security/CVE-2025-13034", "cve_description": "When using `CURLOPT_PINNEDPUBLICKEY` option with libcurl or `--pinnedpubkey` with the curl tool,curl should check the public key of the server certificate to verify the peer. This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14017", "url": "https://ubuntu.com/security/CVE-2025-14017", "cve_description": "When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.", "cve_priority": "medium", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14524", "url": "https://ubuntu.com/security/CVE-2025-14524", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" }, { "cve": "CVE-2025-14819", "url": "https://ubuntu.com/security/CVE-2025-14819", "cve_description": "When doing TLS related transfers with reused easy or multi handles and altering the `CURLSSLOPT_NO_PARTIALCHAIN` option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.", "cve_priority": "low", "cve_public_date": "2026-01-08 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: cookie path out-of-bounds read", " - debian/patches/CVE-2025-9086.patch: don't treat the", " leading slash as trailing in lib/cookie.c", " - CVE-2025-9086", " * SECURITY UPDATE: predictable websocket frame mask", " - debian/patches/CVE-2025-10148.patch: get a new mask for each", " new outgoing frame in lib/ws.c", " - CVE-2025-10148", " * SECURITY UPDATE: wcurl output file directory escape", " - debian/patches/CVE-2025-11563.patch: dont percent-decode", " '/' or '\\' in output file name in scripts/wcurl.c", " - CVE-2025-11563", " * SECURITY UPDATE: No QUIC certificate pinning with GnuTLS", " - debian/patches/CVE-2025-13034.patch: call Curl_gtls_verifyserver", " unconditionally in lib/vquic/vquic-tls.c.", " - CVE-2025-13034", " * SECURITY UPDATE: multi-threaded TSL options leak", " - debian/patches/CVE-2025-14017.patch: call ldap_init() before", " setting the options in lib/ldap.c", " - CVE-2025-14017", " * SECURITY UPDATE: bearer token leak on cross-protocol redirect", " - debian/patches/CVE-2025-14524.patch: if redirected,", " require permission to use bearer in lib/curl_sasl.c", " - CVE-2025-14524", " * SECURITY UPDATE: OpenSSL partial chain store policy bypass", " - debian/patches/CVE-2025-14819.patch: toggling", " CURLSSLOPT_NO_PARTIALCHAIN makes a different CA cache in", " lib/vtls/openssl.c.", " - CVE-2025-14819", "" ], "package": "curl", "version": "8.14.1-2ubuntu1.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Elise Hlady ", "date": "Tue, 17 Feb 2026 15:07:06 -0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30t64:armhf", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.9-3ubuntu2", "version": "3.8.9-3ubuntu2" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.9-3ubuntu2.1", "version": "3.8.9-3ubuntu2.1" }, "cves": [ { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: DoS via malicious certificates", " - debian/patches/CVE-2025-14831-*.patch: rework processing algorithms", " to exhibit better performance characteristics in", " lib/x509/name_constraints.c, tests/name-constraints-ip.c.", " - CVE-2025-14831", " * SECURITY UPDATE: stack overflow via long token label", " - debian/patches/CVE-2025-9820.patch: avoid stack overwrite when", " initializing a token in lib/pkcs11_write.c, tests/Makefile.am,", " tests/pkcs11/long-label.c.", " - CVE-2025-9820", "" ], "package": "gnutls28", "version": "3.8.9-3ubuntu2.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 10 Feb 2026 09:22:00 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64:armhf", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.50-1ubuntu0.3", "version": "1.6.50-1ubuntu0.3" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.50-1ubuntu0.4", "version": "1.6.50-1ubuntu0.4" }, "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB read in png_set_quantize()", " - debian/patches/CVE-2026-25646.patch: fix a heap buffer overflow in", " pngrtran.c.", " - CVE-2026-25646", "" ], "package": "libpng1.6", "version": "1.6.50-1ubuntu0.4", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Feb 2026 09:23:07 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-hwe-hwdb", "from_version": { "source_package_name": "systemd-hwe", "source_package_version": "257.7.1", "version": "257.7.1" }, "to_version": { "source_package_name": "systemd-hwe", "source_package_version": "257.7.2", "version": "257.7.2" }, "cves": [], "launchpad_bugs_fixed": [ 2138596 ], "changes": [ { "cves": [], "log": [ "", " * Add Mic mute key mapping for HP Eliteboard (LP: #2138596)", "" ], "package": "systemd-hwe", "version": "257.7.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138596 ], "author": "Dirk Su ", "date": "Mon, 02 Feb 2026 09:17:12 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "wireless-regdb", "from_version": { "source_package_name": "wireless-regdb", "source_package_version": "2025.07.10-0ubuntu1", "version": "2025.07.10-0ubuntu1" }, "to_version": { "source_package_name": "wireless-regdb", "source_package_version": "2025.10.07-0ubuntu1~25.10.1", "version": "2025.10.07-0ubuntu1~25.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2138403, 2138403 ], "changes": [ { "cves": [], "log": [ "", " * Backport to questing (LP: #2138403)", "" ], "package": "wireless-regdb", "version": "2025.10.07-0ubuntu1~25.10.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138403 ], "author": "Noah Wager ", "date": "Wed, 14 Jan 2026 13:24:13 -0800" }, { "cves": [], "log": [ "", " * New upstream version 2025.10.07 (LP: #2138403)", "" ], "package": "wireless-regdb", "version": "2025.10.07-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138403 ], "author": "Noah Wager ", "date": "Wed, 14 Jan 2026 13:15:49 -0800" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from release image serial 20260212 to 20260226", "from_series": "questing", "to_series": "questing", "from_serial": "20260212", "to_serial": "20260226", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }