{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "binutils", "binutils-arm-linux-gnueabihf", "binutils-common:armhf", "bpftrace", "dracut", "dracut-core", "dracut-network", "libbinutils:armhf", "libc-dev-bin", "libc6-dev:armhf", "libclang1-21", "libctf-nobfd0:armhf", "libctf0:armhf", "libdw1t64:armhf", "libgpgme45:armhf", "libnvme1t64:armhf", "libsframe3:armhf", "linux-headers-7.0.0-10", "linux-headers-7.0.0-10-generic", "linux-image-7.0.0-10-generic", "linux-libc-dev:armhf", "linux-modules-7.0.0-10-generic", "linux-tools-7.0.0-10", "linux-tools-7.0.0-10-generic", "manpages-dev", "python3.14", "python3.14-minimal", "rpcsvc-proto" ], "removed": [ "cryptsetup-initramfs", "initramfs-tools", "libarchive13t64:armhf", "libgpgme11t64:armhf", "libnvme1t64", "libprotobuf-c1:armhf", "linux-headers-6.19.0-6", "linux-headers-6.19.0-6-generic", "linux-image-6.19.0-6-generic", "linux-modules-6.19.0-6-generic", "linux-tools-6.19.0-6", "linux-tools-6.19.0-6-generic", "python3.13-gdbm" ], "diff": [ "apparmor", "apport", "apport-core-dump-handler", "bash", "bcache-tools", "bpfcc-tools", "bpftool", "bsdextrautils", "bsdutils", "btrfs-progs", "ca-certificates", "cloud-init", "cloud-init-base", "cloud-initramfs-copymods", "cloud-initramfs-dyn-netconf", "console-setup", "console-setup-linux", "cryptsetup", "cryptsetup-bin", "curl", "dbus", "dbus-bin", "dbus-daemon", "dbus-session-bus-common", "dbus-system-bus-common", "dbus-user-session", "debconf", "debconf-i18n", "device-tree-compiler", "distro-info", "dpkg", "dracut-install", "e2fsprogs", "eject", "ethtool", "exfatprogs", "fdisk", "file", "flash-kernel", "fwupd", "gcc-16-base:armhf", "gir1.2-girepository-3.0:armhf", "gir1.2-glib-2.0:armhf", "git", "git-man", "gnu-coreutils", "grub-efi-arm", "grub-efi-arm-bin", "grub-efi-arm-unsigned", "grub2-common", "gzip", "ibverbs-providers:armhf", "info", "initramfs-tools-bin", "initramfs-tools-core", "install-info", "keyboard-configuration", "kpartx", "krb5-locales", "landscape-common", "libapparmor1:armhf", "libatomic1:armhf", "libattr1:armhf", "libaudit-common", "libaudit1:armhf", "libblkid1:armhf", "libbpf1:armhf", "libbpfcc:armhf", "libbrotli1:armhf", "libc-bin", "libc-gconv-modules-extra:armhf", "libc6:armhf", "libcap-ng0:armhf", "libclang-cpp21", "libcom-err2:armhf", "libcryptsetup12:armhf", "libcurl3t64-gnutls:armhf", "libcurl4t64:armhf", "libdbus-1-3:armhf", "libelf1t64:armhf", "libext2fs2t64:armhf", "libfdisk1:armhf", "libfdt1:armhf", "libfreetype6:armhf", "libfwupd3:armhf", "libgcc-s1:armhf", "libgirepository-2.0-0:armhf", "libglib2.0-0t64:armhf", "libglib2.0-bin", "libglib2.0-data", "libgnutls30t64:armhf", "libgssapi-krb5-2:armhf", "libgstreamer1.0-0:armhf", "libibverbs1:armhf", "libicu78:armhf", "libjcat1:armhf", "libjson-c5:armhf", "libk5crypto3:armhf", "libkrb5-3:armhf", "libkrb5support0:armhf", "liblastlog2-2:armhf", "libllvm21:armhf", "liblz4-1:armhf", "libmagic-mgc", "libmagic1t64:armhf", "libmm-glib0:armhf", "libmount1:armhf", "libmpathcmd0", "libmpathpersist0", "libmultipath0", "libnetplan1:armhf", "libnewt0.52:armhf", "libnghttp2-14:armhf", "libnss-systemd:armhf", "libnss3:armhf", "libopeniscsiusr", "libp11-kit0:armhf", "libpam-systemd:armhf", "libpcap0.8t64:armhf", "libperl5.40:armhf", "libplymouth5:armhf", "libpython3-stdlib:armhf", "libpython3.13-minimal:armhf", "libpython3.13-stdlib:armhf", "libpython3.14:armhf", "libpython3.14-minimal:armhf", "libpython3.14-stdlib:armhf", "libreadline8t64:armhf", "libsasl2-2:armhf", "libsasl2-modules:armhf", "libsasl2-modules-db:armhf", "libseccomp2:armhf", "libselinux1:armhf", "libsemanage-common", "libsemanage2:armhf", "libsgutils2-1.48:armhf", "libsmartcols1:armhf", "libss2:armhf", "libssh2-1t64:armhf", "libssl3t64:armhf", "libstdc++6:armhf", "libsystemd-shared:armhf", "libsystemd0:armhf", "libtirpc-common", "libtirpc3t64:armhf", "libudev1:armhf", "libudisks2-0:armhf", "libunistring5:armhf", "libuuid1:armhf", "libvolume-key1:armhf", "libxml2-16:armhf", "linux-base", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-sysctl-defaults", "linux-tools-common", "linux-virtual", "locales", "login", "logsave", "lshw", "lxd-agent-loader", "mdadm", "modemmanager", "mount", "multipath-tools", "netbase", "netplan-generator", "netplan.io", "open-iscsi", "openssh-client", "openssh-server", "openssh-sftp-server", "openssl", "openssl-provider-legacy", "overlayroot", "perl", "perl-base", "perl-modules-5.40", "plymouth", "plymouth-theme-ubuntu-text", "python-apt-common", "python3", "python3-apport", "python3-apt", "python3-bcrypt", "python3-bpfcc", "python3-cffi-backend:armhf", "python3-cryptography", "python3-dbus", "python3-debconf", "python3-distro-info", "python3-distupgrade", "python3-gdbm", "python3-gi", "python3-jinja2", "python3-markupsafe", "python3-minimal", "python3-netplan", "python3-openssl", "python3-packaging", "python3-pkg-resources", "python3-problem-report", "python3-pyasn1", "python3-pyparsing", "python3-setuptools", "python3-systemd", "python3-typeguard", "python3-update-manager", "python3-urllib3", "python3-yaml", "python3-zope.interface", "python3.13", "python3.13-minimal", "python3.14-gdbm", "readline-common", "rsyslog", "rust-coreutils", "sg3-utils", "sg3-utils-udev", "snapd", "squashfs-tools", "strace", "sudo", "sudo-rs", "systemd", "systemd-cryptsetup", "systemd-hwe-hwdb", "systemd-resolved", "systemd-sysv", "tcpdump", "trace-cmd", "tzdata", "ubuntu-kernel-accessories", "ubuntu-minimal", "ubuntu-pro-client", "ubuntu-pro-client-l10n", "ubuntu-release-upgrader-core", "ubuntu-server", "ubuntu-standard", "ucf", "udev", "udisks2", "unattended-upgrades", "update-manager-core", "util-linux", "util-linux-extra", "uuid-runtime", "vim", "vim-common", "vim-runtime", "vim-tiny", "whiptail", "wireless-regdb", "xkb-data", "xxd" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~alpha1-0ubuntu11", "version": "5.0.0~alpha1-0ubuntu11" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~beta1-0ubuntu5", "version": "5.0.0~beta1-0ubuntu5" }, "cves": [ { "cve": "CVE-2025-9615", "url": "https://ubuntu.com/security/CVE-2025-9615", "cve_description": "A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.", "cve_priority": "medium", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144679, 2137395, 2143810, 2142788, 2142885 ], "changes": [ { "cves": [], "log": [ "", " * Add patches for network iface mediation in the parser (LP: #2144679):", " - d/p/u/0001-parser-add-more-reserved-mediation-classes.patch", " - d/p/u/0002-parser-convert-conditionals-operators-to-an-enum.patch", " - d/p/u/0003-parser-add-override-assign-to-cond-list-elements.patch", " - d/p/u/0004-parser-support-network-interface-conditional.patch", " - d/p/u/0005-tests-add-network-interface-tests.patch", " * debian/control: add socat test dependency to Build-Depends", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144679 ], "author": "Ryan Lee ", "date": "Thu, 19 Mar 2026 08:46:13 -0700" }, { "cves": [], "log": [ "", " * Add patch from upstream to fix transmission (LP: #2137395)", " - d/p/u/transmission-common-fixes-for-lp-2137395.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137395 ], "author": "Alex Murray ", "date": "Wed, 18 Mar 2026 23:02:41 +1030" }, { "cves": [ { "cve": "CVE-2025-9615", "url": "https://ubuntu.com/security/CVE-2025-9615", "cve_description": "A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.", "cve_priority": "medium", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "log": [ "", " * Add patch to fix openvpn loading of NetworkManager copied certificates", " after CVE-2025-9615 fix (LP: #2143810):", " - d/p/u/openvpn_networkmanager_rundir.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143810 ], "author": "Ryan Lee ", "date": "Wed, 11 Mar 2026 11:33:40 -0700" }, { "cves": [], "log": [ "", " * Add patch to fix libapparmor Python aa_get_lsm_iface binding", " (LP: #2142788):", " - d/p/u/libapparmor-move-aa_get_lsm_iface-decl-in-libapparmor.patch", " * Add patches to fix parser tempfile umask (LP: #2142885):", " - d/p/u/0001-parser-set-umask-before-creating-temp-file.patch", " - d/p/u/0002-parser-restrict-umask-to-allow-only-user-permissions.patch", " * Add test for libapparmor feature prefix parse issue (LP 2105986):", " - d/p/u/libapparmor-add-test-for-libapparmor-features-prefix.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142788, 2142885 ], "author": "Ryan Lee ", "date": "Fri, 27 Feb 2026 09:48:42 -0800" }, { "cves": [], "log": [ "", " [ Alessandro Astone ]", " * d/tests: Update libreoffice profile names", "", " [ Ryan Lee ]", " * New upstream release.", " * debian/control: add libzstd-dev to list of dependencies", " * debian/libapparmor1.symbols: Add new libapparmor symbols to file", " * Refresh patches to apply to new release:", " - d/p/u/communitheme-snap-support.patch", " - d/p/u/profiles-grant-access-to-systemd-resolved.patch", " * Drop patches that were superseded upstream:", " - d/p/u/parser-fix-pam_apparmor-regression-test-failures.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ryan Lee ", "date": "Thu, 19 Feb 2026 09:57:16 -0800" }, { "cves": [], "log": [ "", " * New upstream release.", " * Update patches to apply to new release:", " - d/p/d/Enable-writing-cache.patch", " - d/p/u/Move-the-bwrap-userns-restrict-profile-out-of-extras.patch", " - d/p/u/delete-the-busybox-and-nautilus-profiles.patch", " - d/p/u/profiles_remove_hwctl.patch", " - d/p/u/profiles_disable_free.patch", " - d/p/u/profiles_disable_curl.patch", " - d/p/u/profiles_add_more_consoles_workaround.patch", " - d/p/u/profiles-use-coreutils-tunable.patch", " * Refresh patches to apply to new release:", " - d/p/u/parser-fix-pam_apparmor-regression-test-failures.patch", " - d/p/u/aa-notify-userns-filtering.patch", " - d/p/u/aa-notify-fallback-to-ev-comm-when-ev-execpath.patch", " * Drop patches that were applied upstream:", " - d/p/u/userns-runtime-disable.patch", " - d/p/u/userns-runtime-disable-fix-for-6_14.patch", " - d/p/u/parser-fix-variable-expansion.patch", " - d/p/u/nss-systemd-grant-access-to-gdm-user-db.patch", " - d/p/u/parser-fix-misc-leaks.patch", " - d/p/u/parser-fix-more-parser-leaks.patch", " - d/p/u/curl_read_tmp.patch", " - d/p/u/curl_access_snapd_socket.patch", " - d/p/u/unix_chkpwd_authd.patch", " - d/p/u/profiles_dig_add_abstractions_consoles.patch", " - d/p/u/profiles_fix_systemd_detect_virt_new_denials.patch", " - d/p/u/profiles_expand_libnuma_abstraction", " - d/p/u/regression_disconnected_mount_complain_danglings.patch", " - d/p/u/regression_disconnected_mount_complain_fix_6_15.patch", " - d/p/u/utils_test_aa_show_usage_handle_disabled.patch", " - d/p/u/profiles-add-rules-for-pam-extrausers.so-to-unix-chkpwd.patch", " - d/p/u/parser_libapparmor_re_fix_inconsistent_build.patch", " - d/p/u/parser_libapparmor_re_fix_implied_m.patch", " - d/p/u/0001-tests-regression-Update-socketpair-test-for-upstream.patch", " - d/p/u/0002-tests-regression-update-socketpair-tests-to-detect-d.patch", " - d/p/u/0003-tests-regression-update-socketpair-tests-to-detect-d.patch", " - d/p/u/0004-tests-regressions-Improve-output-of-require_any_of_k.patch", " - d/p/u/0005-tests-regression-update-network-requirements-for-v9.patch", " - d/p/u/0006-regression-tests-update-logic-to-support-v9-af_unix-.patch", " - d/p/u/0007-tests-regressions-Fix-socket-pair-for-v7-semantics.patch", " - d/p/u/parser-fix-unix-addresses-with-alternations.patch", " - d/p/u/profiles-add-rules-to-fix-flatpaks-with-fuse3-17.patch", " - d/p/u/profiles-grant-netrc-read-access-to-tnftp.patch", " - d/p/u/profiles-systemd-detect-virt-handle-device-tree-folder.patch", " - d/p/u/lsblk_read_access_azure_acpi.patch", " - d/p/u/regression-fix-for-rust-coreutils.patch", " - d/p/u/utils-remove-global-_-from-aa-notify-main.patch", " - d/p/u/0001-libapparmor-change-setup.py-to-remove-the-need-for-_.patch", " - d/p/u/0002-libapparmor-remove-__init__.py-not-needed-for-SWIG-P.patch", " - d/p/u/utils-test-use-sys.executable-when-launching-aa-show.patch", " * d/apparmor.install, d/not-installed: account for new location", " of init scripts", " * d/rules:", " - account for new locatin of init scripts", " - specify LD_LIBRARY_PATH during testing to use locally built", " libapparmor for libapparmor.so", " * d/watch: point towards GitLab tarballs instead and update regexes", " * debian/apparmor-profiles.install: account for remmina profile being", " moved to extra-profiles upstream", "" ], "package": "apparmor", "version": "5.0.0~alpha6-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ryan Lee ", "date": "Mon, 09 Feb 2026 11:15:02 -0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu3", "version": "2.33.1-0ubuntu3" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "cves": [], "launchpad_bugs_fixed": [ 2143758, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Enable Launchpad crash reports for resolute", " * parse_segv.py: ignore registers with unavailable values (like pl3_ssp)", "" ], "package": "apport", "version": "2.33.1-0ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 26 Mar 2026 17:32:38 +0100" }, { "cves": [], "log": [ "", " * Update apport-kde to Qt6 (LP: 2145946)", "" ], "package": "apport", "version": "2.33.1-0ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Erich Eickmeyer ", "date": "Mon, 23 Mar 2026 20:29:09 -0700" }, { "cves": [], "log": [ "", " * Fix FTBFS due Python 3.14 (LP: #2143758)", "" ], "package": "apport", "version": "2.33.1-0ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143758 ], "author": "Carlos Nihelton ", "date": "Mon, 09 Mar 2026 17:01:15 -0300" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "apport", "version": "2.33.1-0ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:16:39 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "apport-core-dump-handler", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu3", "version": "2.33.1-0ubuntu3" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "cves": [], "launchpad_bugs_fixed": [ 2143758, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Enable Launchpad crash reports for resolute", " * parse_segv.py: ignore registers with unavailable values (like pl3_ssp)", "" ], "package": "apport", "version": "2.33.1-0ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 26 Mar 2026 17:32:38 +0100" }, { "cves": [], "log": [ "", " * Update apport-kde to Qt6 (LP: 2145946)", "" ], "package": "apport", "version": "2.33.1-0ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Erich Eickmeyer ", "date": "Mon, 23 Mar 2026 20:29:09 -0700" }, { "cves": [], "log": [ "", " * Fix FTBFS due Python 3.14 (LP: #2143758)", "" ], "package": "apport", "version": "2.33.1-0ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143758 ], "author": "Carlos Nihelton ", "date": "Mon, 09 Mar 2026 17:01:15 -0300" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "apport", "version": "2.33.1-0ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:16:39 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bash", "from_version": { "source_package_name": "bash", "source_package_version": "5.3-1ubuntu1", "version": "5.3-1ubuntu1" }, "to_version": { "source_package_name": "bash", "source_package_version": "5.3-2ubuntu1", "version": "5.3-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes same as in 5.3-1ubuntu1.", "" ], "package": "bash", "version": "5.3-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 13 Feb 2026 13:16:08 +0100" }, { "cves": [], "log": [ "", " * Apply upstream patches 004 - 009.", " * Bump standards version.", "" ], "package": "bash", "version": "5.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 13 Feb 2026 11:43:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bcache-tools", "from_version": { "source_package_name": "bcache-tools", "source_package_version": "1.0.8-5build2", "version": "1.0.8-5build2" }, "to_version": { "source_package_name": "bcache-tools", "source_package_version": "1.0.8-5ubuntu1", "version": "1.0.8-5ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Recommend dracut as default initrd generator (LP: #2142775)", "" ], "package": "bcache-tools", "version": "1.0.8-5ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Thu, 26 Feb 2026 17:49:50 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bpfcc-tools", "from_version": { "source_package_name": "bpfcc", "source_package_version": "0.35.0+ds-1ubuntu1", "version": "0.35.0+ds-1ubuntu1" }, "to_version": { "source_package_name": "bpfcc", "source_package_version": "0.35.0+ds-1ubuntu2", "version": "0.35.0+ds-1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to build with LLVM 21 on amd64v3.", "" ], "package": "bpfcc", "version": "0.35.0+ds-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 16 Mar 2026 12:30:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bpftool", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "7.7.0+6.19.0-6.6" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.7.0+7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdextrautils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "1:2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "1:2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "btrfs-progs", "from_version": { "source_package_name": "btrfs-progs", "source_package_version": "6.17.1-1", "version": "6.17.1-1" }, "to_version": { "source_package_name": "btrfs-progs", "source_package_version": "6.17.1-1build1", "version": "6.17.1-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild with Python 3.14 as default", "" ], "package": "btrfs-progs", "version": "6.17.1-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Thu, 22 Jan 2026 20:28:27 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20250419", "version": "20250419" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20250419build1", "version": "20250419build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "ca-certificates", "version": "20250419build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:22:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.4~4g26c7d38d-0ubuntu1", "version": "25.4~4g26c7d38d-0ubuntu1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "26.1-0ubuntu1", "version": "26.1-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Upstream snapshot based on 26.1.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/26.1/ChangeLog", "" ], "package": "cloud-init", "version": "26.1-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Chad Smith ", "date": "Fri, 27 Feb 2026 19:10:12 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-init-base", "from_version": { "source_package_name": "cloud-init", "source_package_version": "25.4~4g26c7d38d-0ubuntu1", "version": "25.4~4g26c7d38d-0ubuntu1" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "26.1-0ubuntu1", "version": "26.1-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Upstream snapshot based on 26.1.", " List of changes from upstream can be found at", " https://raw.githubusercontent.com/canonical/cloud-init/26.1/ChangeLog", "" ], "package": "cloud-init", "version": "26.1-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Chad Smith ", "date": "Fri, 27 Feb 2026 19:10:12 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-initramfs-copymods", "from_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.52", "version": "0.52" }, "to_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.55", "version": "0.55" }, "cves": [], "launchpad_bugs_fixed": [ 2125790, 2142564 ], "changes": [ { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * copymods: enable by default when using dracut", "" ], "package": "cloud-initramfs-tools", "version": "0.55", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paride Legovini ", "date": "Thu, 05 Mar 2026 18:59:57 +0100" }, { "cves": [], "log": [ "", " * autopkgtest: explicitly pull in dracut for rooturl test", " * dyn-netconf: support dracut by pulling in systemd-networkd (LP: #2125790)", " * Drop redundant priority optional", " * Bump Standards-Version to 4.7.3", " * Override executable-in-usr-lib lintian warning for Dracut modules dir", "" ], "package": "cloud-initramfs-tools", "version": "0.54", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125790 ], "author": "Benjamin Drung ", "date": "Fri, 27 Feb 2026 10:31:34 +0100" }, { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * rooturl: use systemd-import on Dracut to support tarballs (LP: #2142564)", "" ], "package": "cloud-initramfs-tools", "version": "0.53", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142564 ], "author": "Paride Legovini ", "date": "Tue, 24 Feb 2026 12:30:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-initramfs-dyn-netconf", "from_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.52", "version": "0.52" }, "to_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.55", "version": "0.55" }, "cves": [], "launchpad_bugs_fixed": [ 2125790, 2142564 ], "changes": [ { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * copymods: enable by default when using dracut", "" ], "package": "cloud-initramfs-tools", "version": "0.55", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paride Legovini ", "date": "Thu, 05 Mar 2026 18:59:57 +0100" }, { "cves": [], "log": [ "", " * autopkgtest: explicitly pull in dracut for rooturl test", " * dyn-netconf: support dracut by pulling in systemd-networkd (LP: #2125790)", " * Drop redundant priority optional", " * Bump Standards-Version to 4.7.3", " * Override executable-in-usr-lib lintian warning for Dracut modules dir", "" ], "package": "cloud-initramfs-tools", "version": "0.54", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125790 ], "author": "Benjamin Drung ", "date": "Fri, 27 Feb 2026 10:31:34 +0100" }, { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * rooturl: use systemd-import on Dracut to support tarballs (LP: #2142564)", "" ], "package": "cloud-initramfs-tools", "version": "0.53", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142564 ], "author": "Paride Legovini ", "date": "Tue, 24 Feb 2026 12:30:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "console-setup", "from_version": { "source_package_name": "console-setup", "source_package_version": "1.237ubuntu1", "version": "1.237ubuntu1" }, "to_version": { "source_package_name": "console-setup", "source_package_version": "1.237ubuntu3", "version": "1.237ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * Keyboard/kbdcompiler: Fix checking ckbcomp success.", " * Keyboard/ckbcomp: Support symbols = [...].", "" ], "package": "console-setup", "version": "1.237ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Mon, 02 Mar 2026 16:21:56 +0200" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "console-setup", "version": "1.237ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:24:29 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "console-setup-linux", "from_version": { "source_package_name": "console-setup", "source_package_version": "1.237ubuntu1", "version": "1.237ubuntu1" }, "to_version": { "source_package_name": "console-setup", "source_package_version": "1.237ubuntu3", "version": "1.237ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * Keyboard/kbdcompiler: Fix checking ckbcomp success.", " * Keyboard/ckbcomp: Support symbols = [...].", "" ], "package": "console-setup", "version": "1.237ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Mon, 02 Mar 2026 16:21:56 +0200" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "console-setup", "version": "1.237ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:24:29 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "cryptsetup", "from_version": { "source_package_name": "cryptsetup", "source_package_version": "2:2.8.4-1ubuntu1", "version": "2:2.8.4-1ubuntu1" }, "to_version": { "source_package_name": "cryptsetup", "source_package_version": "2:2.8.4-1ubuntu4", "version": "2:2.8.4-1ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2143933, 2142888, 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick fixes from upstream:", " - tests: Fix tests to not use aes-generic kernel cipher name", " - Add specific error for failed posix_fallocate call.", " * test: use gnudd as workaround in luks2-reencryption-mangle-test", " (LP: #2143933)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143933 ], "author": "Benjamin Drung ", "date": "Wed, 11 Mar 2026 18:58:47 +0100" }, { "cves": [], "log": [ "", " * askpass: Fix FTBFS with glibc 2.43. (Closes: #1128538, LP: #2142888)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142888 ], "author": "Benjamin Drung ", "date": "Wed, 11 Mar 2026 11:53:16 +0100" }, { "cves": [], "log": [ "", " * cryptsetup: recommend dracut over cryptsetup-initramfs (LP: #2142775)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Tue, 10 Mar 2026 12:24:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "cryptsetup-bin", "from_version": { "source_package_name": "cryptsetup", "source_package_version": "2:2.8.4-1ubuntu1", "version": "2:2.8.4-1ubuntu1" }, "to_version": { "source_package_name": "cryptsetup", "source_package_version": "2:2.8.4-1ubuntu4", "version": "2:2.8.4-1ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2143933, 2142888, 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick fixes from upstream:", " - tests: Fix tests to not use aes-generic kernel cipher name", " - Add specific error for failed posix_fallocate call.", " * test: use gnudd as workaround in luks2-reencryption-mangle-test", " (LP: #2143933)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143933 ], "author": "Benjamin Drung ", "date": "Wed, 11 Mar 2026 18:58:47 +0100" }, { "cves": [], "log": [ "", " * askpass: Fix FTBFS with glibc 2.43. (Closes: #1128538, LP: #2142888)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142888 ], "author": "Benjamin Drung ", "date": "Wed, 11 Mar 2026 11:53:16 +0100" }, { "cves": [], "log": [ "", " * cryptsetup: recommend dracut over cryptsetup-initramfs (LP: #2142775)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Tue, 10 Mar 2026 12:24:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu1", "version": "8.18.0-1ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2", "version": "8.18.0-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:15:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.", "cve_priority": "low", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:15:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.", "cve_priority": "low", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: bad reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using", " HTTP Negotiate in lib/url.c.", " - debian/patches/CVE-2026-1965-2.patch: fix copy and paste", " url_match_auth_nego mistake in lib/url.c.", " - CVE-2026-1965", " * SECURITY UPDATE: token leak with redirect and netrc", " - debian/patches/CVE-2026-3783.patch: only send bearer if auth is", " allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006.", " - CVE-2026-3783", " * SECURITY UPDATE: wrong proxy connection reuse with credentials", " - debian/patches/CVE-2026-3784.patch: add additional tests in", " lib/url.c, tests/http/test_13_proxy_auth.py,", " tests/http/testenv/curl.py.", " - CVE-2026-3784", " * SECURITY UPDATE: use after free in SMB connection reuse", " - debian/patches/CVE-2026-3805.patch: free the path in the request", " struct properly in lib/smb.c.", " - CVE-2026-3805", "" ], "package": "curl", "version": "8.18.0-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 09 Mar 2026 08:30:05 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "dbus", "from_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu3", "version": "1.16.2-2ubuntu3" }, "to_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu4", "version": "1.16.2-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2141603 ], "changes": [ { "cves": [], "log": [ "", " * dont-stop-dbus.patch: restore Before=sockets.target (LP: #2141603)", "" ], "package": "dbus", "version": "1.16.2-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141603 ], "author": "Benjamin Drung ", "date": "Tue, 03 Mar 2026 12:20:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dbus-bin", "from_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu3", "version": "1.16.2-2ubuntu3" }, "to_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu4", "version": "1.16.2-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2141603 ], "changes": [ { "cves": [], "log": [ "", " * dont-stop-dbus.patch: restore Before=sockets.target (LP: #2141603)", "" ], "package": "dbus", "version": "1.16.2-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141603 ], "author": "Benjamin Drung ", "date": "Tue, 03 Mar 2026 12:20:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dbus-daemon", "from_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu3", "version": "1.16.2-2ubuntu3" }, "to_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu4", "version": "1.16.2-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2141603 ], "changes": [ { "cves": [], "log": [ "", " * dont-stop-dbus.patch: restore Before=sockets.target (LP: #2141603)", "" ], "package": "dbus", "version": "1.16.2-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141603 ], "author": "Benjamin Drung ", "date": "Tue, 03 Mar 2026 12:20:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dbus-session-bus-common", "from_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu3", "version": "1.16.2-2ubuntu3" }, "to_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu4", "version": "1.16.2-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2141603 ], "changes": [ { "cves": [], "log": [ "", " * dont-stop-dbus.patch: restore Before=sockets.target (LP: #2141603)", "" ], "package": "dbus", "version": "1.16.2-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141603 ], "author": "Benjamin Drung ", "date": "Tue, 03 Mar 2026 12:20:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dbus-system-bus-common", "from_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu3", "version": "1.16.2-2ubuntu3" }, "to_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu4", "version": "1.16.2-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2141603 ], "changes": [ { "cves": [], "log": [ "", " * dont-stop-dbus.patch: restore Before=sockets.target (LP: #2141603)", "" ], "package": "dbus", "version": "1.16.2-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141603 ], "author": "Benjamin Drung ", "date": "Tue, 03 Mar 2026 12:20:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dbus-user-session", "from_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu3", "version": "1.16.2-2ubuntu3" }, "to_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu4", "version": "1.16.2-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2141603 ], "changes": [ { "cves": [], "log": [ "", " * dont-stop-dbus.patch: restore Before=sockets.target (LP: #2141603)", "" ], "package": "dbus", "version": "1.16.2-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141603 ], "author": "Benjamin Drung ", "date": "Tue, 03 Mar 2026 12:20:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "debconf", "from_version": { "source_package_name": "debconf", "source_package_version": "1.5.91", "version": "1.5.91" }, "to_version": { "source_package_name": "debconf", "source_package_version": "1.5.92", "version": "1.5.92" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Add BMP version of debian-logo.", "" ], "package": "debconf", "version": "1.5.92", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Mon, 16 Feb 2026 17:48:32 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "debconf-i18n", "from_version": { "source_package_name": "debconf", "source_package_version": "1.5.91", "version": "1.5.91" }, "to_version": { "source_package_name": "debconf", "source_package_version": "1.5.92", "version": "1.5.92" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Add BMP version of debian-logo.", "" ], "package": "debconf", "version": "1.5.92", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Mon, 16 Feb 2026 17:48:32 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "device-tree-compiler", "from_version": { "source_package_name": "device-tree-compiler", "source_package_version": "1.7.2-2build1", "version": "1.7.2-2build1" }, "to_version": { "source_package_name": "device-tree-compiler", "source_package_version": "1.7.2-2ubuntu1", "version": "1.7.2-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2114731, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Add upstream patch for uutils compatibility (LP: #2114731)", "" ], "package": "device-tree-compiler", "version": "1.7.2-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2114731 ], "author": "Tobias Heider ", "date": "Tue, 27 Jan 2026 13:09:33 +0100" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "device-tree-compiler", "version": "1.7.2-2build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Sat, 06 Dec 2025 10:41:09 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "distro-info", "from_version": { "source_package_name": "distro-info", "source_package_version": "1.14build1", "version": "1.14build1" }, "to_version": { "source_package_name": "distro-info", "source_package_version": "1.15", "version": "1.15" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * test: Fix testAlias when SOURCE_DATE_EPOCH is set to 2030 (Closes: #1127115)", " * Remove redundant Rules-Requires-Root", " * Remove redundant priority optional field", " * Bump Standards-Version to 4.7.3", "" ], "package": "distro-info", "version": "1.15", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 16 Feb 2026 23:18:29 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dpkg", "from_version": { "source_package_name": "dpkg", "source_package_version": "1.22.21ubuntu9", "version": "1.22.21ubuntu9" }, "to_version": { "source_package_name": "dpkg", "source_package_version": "1.23.6ubuntu2", "version": "1.23.6ubuntu2" }, "cves": [ { "cve": "CVE-2026-2219", "url": "https://ubuntu.com/security/CVE-2026-2219", "cve_description": "It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).", "cve_priority": "medium", "cve_public_date": "2026-03-07 09:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2070015, 2092676, 2070015 ], "changes": [ { "cves": [], "log": [ "", " * Set a derivative.ubuntu build profile by default.", "" ], "package": "dpkg", "version": "1.23.6ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 14 Mar 2026 17:10:34 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Change native source version/format mismatch errors into warnings", " until the dust settles on Debian bug 737634 about override options.", " - Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level", " tools can get untranslated dpkg terminal log messages while at the", " same time having translated debconf prompts.", " - Map unqualified package names of multiarch-same packages to the native", " arch instead of throwing an error, so that we don't break on upgrade", " when there are unqualified names stored in the dpkg trigger database.", " - Apply a workaround from mvo to consider ^rc packages as multiarch,", " during the dpkg consistency checks. (see LP: 1015567 and 1057367).", " - dpkg-gencontrol: Fix Package-Type override handling for ddeb support.", " - scripts/Dpkg/Vendor/Ubuntu.pm, scripts/dpkg-buildpackage.pl: set", " 'nocheck' in build options by default on Ubuntu/riscv64. Overridable", " in debian/rules with", " 'DEB_BUILD_OPTIONS := $(filter-out nocheck,$(DEB_BUILD_OPTIONS))'.", " - dpkg-dev: Depend on lto-disabled-list.", " - dpkg-buildflags: Read package source names from lto-disabled-list,", " to build without lto optimizations. When adding a source package to the", " list, please also file a launchpad issue and tag it with 'lto'.", " - scripts/Dpkg/Vendor/Ubuntu.pm: set 'noudeb' build profile by", " default. Override this by exporting DEB_BUILD_PROFILE='!noudeb' which", " will be stripped, and thus building with udebs.", " - build: Switch default dpkg-deb compression from xz to zstd.", " Keep compressing dpkg.deb with xz to help bootstrapping on non-Ubuntu", " systems.", " - set default zstd compression level to 19", " - scripts/Dpkg/Vendor/Debian.pm: Always include \"-fdebug-prefix-map\"", " to build flags. Map path to \"/usr/src/PKGNAME-PKGVER\" instead of", " \".\", honouring the DWARF standard which prohibits relative paths", " in DW_AT_comp_dir.", " - scripts/{mk/buildflags.mk,t.mk}: Add support for DEB_BUILD_DEBUGPATH.", " - man/dpkg-buildflags.pod: Document new behaviour of \"fdebugmap\" and", " new DEB_BUILD_DEBUGPATH variable.", " - Disable -fstack-clash-protection on armhf since it causes crashes", " - dpkg-buildflags: Add a new feature \"framepointer\" in the \"qa\" area.", " - Turn on the use of frame pointers by default on 64bit architectures.", " - Update _FORTIFY_SOURCE documentation.", " - Update Dpkg_BuildFlags test case.", " - Fix debian/rules duplicate invocations of dh_builddeb", " - lib/dpkg/compress.c: clean up override of the default zstd compression", " level", " - dpkg-buildflags: Explicitly turn off hardening flags when requested.", " - Export environment variables DEB_BUILD_OS_RELEASE_ID, DEB_HOST_ARCH,", " DEB_SOURCE, and DEB_VERSION when including buildflags.mk (LP: #2070015)", " - buildflags: document RUSTFLAGS", " - buildflags: Always set RUSTFLAGS", " - tests: avoid failing under DEB_VENDOR != Debian", " - dpkg-buildflags: enable ELF package note metadata", " - buildflags: set origin of env vars for ELF package metadata", " - Export ELF_PACKAGE_METADATA for a build. Picked up by GCC and clang.", " Passing -specs explicitly can be dropped in a follow-up upload.", " - dpkg-buildflags: set RUSTFLAGS to influence the command line flags cargo", " will pass to rustc, and set the flags to include framepointers when the", " framepointer feature of the qa area is enabled.", " - Disable framepointer on ppc64el.", " - Disable framepointer on s390x, leaving only -mbackchain.", " - Add a note about different behaviour of dpkg-buildflags with respect to", " LTO on Ubuntu.", " - dpkg-buildpackage: Construct ELF_PACKAGE_METADATA, and set in the", " environment if not already set. This setting is picked up by", " GCC and clang, passing a --package-metadata option the the linker.", " - Stop passing --specs for metadata information. It's too fragile", " and only works for GCC. Also introduces a lot of packaging delta.", " - Stop defaulting to -O3 on amd64.", " - dpkg-dev: Still prefer gnupg and gpgv over sq.", " Introduce architecture variants (thanks to mwhudson for the rebase)", " - scripts/dpkg-gencentrol.pl: fix operator precedence.", " - Copy across the architecture variant (LP #2128606)", " - Drop unused elf-package-metadata specs files", " - dpkg-buildflags: set --package-metadata directly in LDFLAGS, and still", " set ELF_PACKAGE_METADATA in the environment.", " - Include architecture variant in ELF package metadata (LP #2131806)", "" ], "package": "dpkg", "version": "1.23.6ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2070015 ], "author": "Matthias Klose ", "date": "Sat, 07 Mar 2026 08:47:21 +0100" }, { "cves": [ { "cve": "CVE-2026-2219", "url": "https://ubuntu.com/security/CVE-2026-2219", "cve_description": "It was discovered that dpkg-deb (a component of dpkg, the Debian package management system) does not properly validate the end of the data stream when uncompressing a zstd-compressed .deb archive, which may result in denial of service (infinite loop spinning the CPU).", "cve_priority": "medium", "cve_public_date": "2026-03-07 09:16:00 UTC" } ], "log": [ "", " [ Guillem Jover ]", " * dpkg-query: Fix segfault with empty -S argument. LP: #2092676", " * dpkg-deb: Be more robust against truncated ar archives.", " Reported by Yashashree Gund .", " * dpkg-deb: Reject ar archives with 0 sized tar members.", " Reported by Yashashree Gund .", " * libdpkg, scripts: Detect corrupt ar archive with non-even byte sizes.", " * dpkg-source: Fix running from within the source tree.", " Reported by Umut (on IRC).", " * dpkg-source: Support running --commit from within the source tree w/o", " «.». Closes: #1127383", " * dpkg-source: Fix format in maintainer error message.", " Thanks to Marko Zajc .", " * dpkg-scanpackages: Add new --no-implicit-arch option. Closes: #1128325", " * Perl modules:", " - Dpkg::Shlibs::Objdump::Object: Clarify code comment.", " - Dpkg::Source::Package::V2: Do not print source root on modified files", " list. Closes: #1126558", " - Dpkg::Source::Patch: Speed up patched filename retrieval in patches.", " - Dpkg::Source::Patch: Add comment about the use of tr{}{} as char counter.", " - Dpkg::OpenPGP::Backend::GnuPG: Add missing Dpkg::Gettext import.", " Closes: #1128406", " - Dpkg::OpenPGP::Backend::GnuPG: Refactor _file_read_header().", " - Dpkg::OpenPGP::Backend::GnuPG: Detect and warn on LibrePGP artifacts.", " - Dpkg::Email::Address: Warn on email domains with a single label.", " Closes: #1126508", " - Dpkg::Source::Patch: Fix code comment.", " - Dpkg::Source::Patch: Add new has_errors() method.", " - Dpkg::Source::Package::V2: Delay unrepresentable error after local", " changes list. Closes: #1126665", " - Dpkg::Vendor: Fix taint mode in get_vendor_object().", " - Dpkg::Compression: Remove deprecated function compression_get_property().", " - Dpkg::Archive::Ar: Switch header variables into a hash.", " - Dpkg::Archive::Ar: Check that no header field is empty.", " * Code internals:", " - libdpkg: Use varbuf_str() instead of directly accessing buf.", " - scripts: Parse and validate all Changed-By and Maintainer field inputs.", " Closes: #1126507", " - libdpkg: Terminate zstd decompression when we have no more data.", " Reported by Yashashree Gund . Closes: #1129722", " Fixes CVE-2026-2219.", " - dpkg-deb: Refactor ar member size into an intermediate variable.", " * Build system:", " - Add URL, Maintainer and License fields to .pc file.", " * Test suite:", " - Add basic Perl taint mode checks.", " * Localization:", " - Update Dutch translations.", " Thanks to Frans Spiesschaert .", " Closes: #1127882, #1127884", " - Update Swedish translations.", " Thanks to Peter Krefting . Closes: #1128529", "" ], "package": "dpkg", "version": "1.23.6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2092676 ], "author": "Guillem Jover ", "date": "Thu, 05 Mar 2026 06:54:58 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Change native source version/format mismatch errors into warnings", " until the dust settles on Debian bug 737634 about override options.", " - Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level", " tools can get untranslated dpkg terminal log messages while at the", " same time having translated debconf prompts.", " - Map unqualified package names of multiarch-same packages to the native", " arch instead of throwing an error, so that we don't break on upgrade", " when there are unqualified names stored in the dpkg trigger database.", " - Apply a workaround from mvo to consider ^rc packages as multiarch,", " during the dpkg consistency checks. (see LP: 1015567 and 1057367).", " - dpkg-gencontrol: Fix Package-Type override handling for ddeb support.", " - scripts/Dpkg/Vendor/Ubuntu.pm, scripts/dpkg-buildpackage.pl: set", " 'nocheck' in build options by default on Ubuntu/riscv64. Overridable", " in debian/rules with", " 'DEB_BUILD_OPTIONS := $(filter-out nocheck,$(DEB_BUILD_OPTIONS))'.", " - dpkg-dev: Depend on lto-disabled-list.", " - dpkg-buildflags: Read package source names from lto-disabled-list,", " to build without lto optimizations. When adding a source package to the", " list, please also file a launchpad issue and tag it with 'lto'.", " - scripts/Dpkg/Vendor/Ubuntu.pm: set 'noudeb' build profile by", " default. Override this by exporting DEB_BUILD_PROFILE='!noudeb' which", " will be stripped, and thus building with udebs.", " - build: Switch default dpkg-deb compression from xz to zstd.", " Keep compressing dpkg.deb with xz to help bootstrapping on non-Ubuntu", " systems.", " - set default zstd compression level to 19", " - scripts/Dpkg/Vendor/Debian.pm: Always include \"-fdebug-prefix-map\"", " to build flags. Map path to \"/usr/src/PKGNAME-PKGVER\" instead of", " \".\", honouring the DWARF standard which prohibits relative paths", " in DW_AT_comp_dir.", " - scripts/{mk/buildflags.mk,t.mk}: Add support for DEB_BUILD_DEBUGPATH.", " - man/dpkg-buildflags.pod: Document new behaviour of \"fdebugmap\" and", " new DEB_BUILD_DEBUGPATH variable.", " - Disable -fstack-clash-protection on armhf since it causes crashes", " - dpkg-buildflags: Add a new feature \"framepointer\" in the \"qa\" area.", " - Turn on the use of frame pointers by default on 64bit architectures.", " - Update _FORTIFY_SOURCE documentation.", " - Update Dpkg_BuildFlags test case.", " - Fix debian/rules duplicate invocations of dh_builddeb", " - lib/dpkg/compress.c: clean up override of the default zstd compression", " level", " - dpkg-buildflags: Explicitly turn off hardening flags when requested.", " - Export environment variables DEB_BUILD_OS_RELEASE_ID, DEB_HOST_ARCH,", " DEB_SOURCE, and DEB_VERSION when including buildflags.mk (LP: #2070015)", " - buildflags: document RUSTFLAGS", " - buildflags: Always set RUSTFLAGS", " - tests: avoid failing under DEB_VENDOR != Debian", " - dpkg-buildflags: enable ELF package note metadata", " - buildflags: set origin of env vars for ELF package metadata", " - Export ELF_PACKAGE_METADATA for a build. Picked up by GCC and clang.", " Passing -specs explicitly can be dropped in a follow-up upload.", " - dpkg-buildflags: set RUSTFLAGS to influence the command line flags cargo", " will pass to rustc, and set the flags to include framepointers when the", " framepointer feature of the qa area is enabled.", " - Disable framepointer on ppc64el.", " - Disable framepointer on s390x, leaving only -mbackchain.", " - Add a note about different behaviour of dpkg-buildflags with respect to", " LTO on Ubuntu.", " - dpkg-buildpackage: Construct ELF_PACKAGE_METADATA, and set in the", " environment if not already set. This setting is picked up by", " GCC and clang, passing a --package-metadata option the the linker.", " - Stop passing --specs for metadata information. It's too fragile", " and only works for GCC. Also introduces a lot of packaging delta.", " - Stop defaulting to -O3 on amd64.", " - dpkg-dev: Still prefer gnupg and gpgv over sq.", " Introduce architecture variants (thanks to mwhudson for the rebase)", " - scripts/dpkg-gencentrol.pl: fix operator precedence.", " - Copy across the architecture variant (LP #2128606)", " - Drop unused elf-package-metadata specs files", " - dpkg-buildflags: set --package-metadata directly in LDFLAGS, and still", " set ELF_PACKAGE_METADATA in the environment.", " - Include architecture variant in ELF package metadata (LP #2131806)", "" ], "package": "dpkg", "version": "1.23.5ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2070015 ], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 12:01:45 +0100" }, { "cves": [], "log": [ "", " [ Guillem Jover ]", " * dpkg-source: Do not error out on empty fields. Closes: #1125985", " * Perl modules:", " - Dpkg::Email::Address: Do not construct invalid objects.", " - Dpkg::Control::FieldsCore: Improve Maintainer and Uploader field parse", " errors.", " * Documentation:", " - man: Improve dpkg-buildpackage --sign-backend description.", " * Build system:", " - Move the dist artifacts to the release directory.", " * Test suite:", " - Add known exception sources for ProhibitCaptureWithoutTest.", "" ], "package": "dpkg", "version": "1.23.5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Fri, 23 Jan 2026 01:41:44 +0100" }, { "cves": [], "log": [ "", " [ Guillem Jover ]", " * Revert \"Dpkg::Vendor: Add branch hardening flags to LDFLAGS\".", " Closes: #1125323, #1125715", " * start-stop-daemon: Check for invalid combinations of --notify-await", " options. Closes: #1124643", " * dpkg: Fix typo for «metadata» in error message. Closes: #1125128", " * scripts: Parse and validate Maintainer and Uploaders email addresses.", " * dpkg-source: Warn when the Uploaders field contains the Maintainer.", " * Perl modules:", " - Dpkg::BuildProfiles: Remove the parser workaround now that dh-exec is", " fixed.", " - Dpkg::Shlibs::Symbol: Emit a warning for the deprecated wildcard syntax.", " Closes: #1125722", " - Dpkg::Source::Package::V2: Switch generated patch to be git formatted.", " - Dpkg::Source::Package::V2: Print Bug- in patch template instead", " of vendor specific ones.", " - Dpkg::Email::Address: New module.", " - Dpkg::Control::FieldsCore: Add new email address field parsing functions.", " - Dpkg::Shlibs::SymbolFile: Refactor metavariable substitution into a", " function.", " - Dpkg::Shlibs::SymbolFile: Add support for #CURVER#. Closes: #615940", " * Documentation:", " - dpkg-buildflags(1): Clarify that LDFLAGS are not safe for direct ld(1)", " use. See #1125323.", " - start-stop-daemon(8): Clarify relationship between --notify-await and", " --background. See #1124643.", " - man: Refactor explanation about deb-symbols metavariables.", " * Code internals:", " - dselect: Mark keybindings methods only accessing static members as", " static.", " - dpkg-deb: Reduce pid variable scope.", " - libcompat: Define __has_attribute() if not already defined in gettext.h.", " * Packaging:", " - Bump Standards-Version to 4.7.3 (no changes needed).", " * Test suite:", " - Undefine _LIBC for cppcheck.", " - Update cppcheck suppressions for 2.19.0.", " * Localization:", " - Update Dutch translations.", " Thanks to Frans Spiesschaert .", " Closes: #1125463, #1125465, #1125466", " - Update Portuguese translations.", " Thanks to Américo Monteiro .", " Closes: #1124138, #1124412, #1124439, #1124636", "" ], "package": "dpkg", "version": "1.23.4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sun, 18 Jan 2026 18:29:23 +0100" }, { "cves": [], "log": [ "", " [ Guillem Jover ]", " * Perl modules:", " - Dpkg::Vendor::Debian: Mask PIE on m68k, sh4 and x32.", " Thanks to Adrian Bunk . Closes: #1100187", " - Dpkg::Version: Add new has_epoch() and has_revision() methods.", " Closes: #1123630", " - Dpkg::Source::Package::V1: Make debian/rules executable on extract if", " present. Closes: #1123652", "" ], "package": "dpkg", "version": "1.23.3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sat, 20 Dec 2025 02:18:49 +0100" }, { "cves": [], "log": [ "", " [ Guillem Jover ]", " * Perl modules:", " - Dpkg::BuildProfiles: Add workaround for callers passing invalid formulas.", " Diagnosed by Chris Hofstaedtler .", "" ], "package": "dpkg", "version": "1.23.2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Thu, 18 Dec 2025 02:10:10 +0100" }, { "cves": [], "log": [ "", " [ Guillem Jover ]", " * Perl modules:", " - Dpkg::BuildProfiles: Add missing Dpkg::Gettext and Dpkg::ErrorHandling", " imports. Closes: #1123515", " * Test suite:", " - Add a test for negated build profiles.", " Prompted by Chris Hofstaedtler (on IRC).", "" ], "package": "dpkg", "version": "1.23.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Wed, 17 Dec 2025 13:10:07 +0100" }, { "cves": [], "log": [ "", " [ Guillem Jover ]", " * Pass --format=xz explicitly to xz on decompression.", " * dpkg-divert: Clarify default behavior change timeline.", " * dpkg: Remove obsolete --forget-old-unavail from --help output.", " * Add vendor specific support for fuzzy source vs version nativeness.", " Closes: #737634", " * dpkg-deb: Fix cleanup for control member with restricted directories.", " Reported by zhutyra on HackerOne.", " * dpkg: Use maintscript name instead of untranslated description in error", " messages.", " * dpkg: Unify maintainer script error messages.", " * dpkg: Print maintscript fallback success message after finishing actions.", " * Improve subprocess exit message.", " * update-alternatives: Move debug message from call site into", " alternative_prepare_install().", " * Shallow pass at clarifying debug messages.", " * update-alternatives: Clarify in --help output that the «...» refers to", " --slave.", " * dpkg-query: Improve --list header ASCII art.", " Suggested by No Comment .", " * dselect, libdpkg: Use Ctrl+ instead of ^ in messages.", " * dpkg-split: Obsolete --msdos option which no longer does anything.", " * Remove support for MSDOS-Filename field.", " * dpkg-shlibdeps: Add a debug print when overriding file to package mappings.", " See #1115395.", " * Use invalid instead of illegal in symbol names and output messages.", " * dpkg: Improve commands acting on the available file from standard input.", " Closes: #1119906", " * Use «package metadata» instead of «control information».", " * dpkg: Use MAXCONTROLFILENAME instead of 50 or 250 in format string", " precision.", " * dpkg-split: Mark strings for translation.", " * start-stop-daemon: Update list of change contributors.", " * Do not use contractions in output messages.", " * Reword --help options descriptions to fit again in 80 columns.", " * dpkg-source: Use Dpkg::BuildProfiles to parse the Build-Profiles field.", " * dpkg-source: Add a new profile:v1 property in Package-List field.", " See https://lists.debian.org/debian-devel/2025/11/msg00333.html.", " * Use valid instead of legal in output messages and code comments.", " * dpkg-source: Add support for --signer-certs option. Closes: #1110172", " * dpkg-source: Add new --no-vendor-certs extract option.", " * dpkg: Do not run the postinst during cleanup if the previous state was bad.", " Based on a patch by Ian Jackson .", " Closes: #432893", " * dpkg: Mark reinstreq during unpack as late as possible, not before prerm.", " Thanks to Ian Jackson .", " * Architecture support:", " - Accept sparcv9 as an alias for GNU CPU name sparc64.", " - Remove kopensolaris-any support.", " See commit 602261f1f3e3143b0b668d3ae185fb600b4ed18c.", " See https://github.com/dtbartle/glibc-opensolaris (2009-04).", " See https://github.com/ip1981/kopensolaris-glibc (2015-01).", " - Remove kfreebsd-any support.", " See https://lists.debian.org/debian-devel/2023/05/msg00306.html.", " - Remove support for powerpcspe.", " * Portability:", " - Use portable POSIX «cp» options -RPp instead -a.", " * Perl modules:", " - Dpkg::Vendor: Parametrize vendor and field names in diagnostic messages.", " - Dpkg: Bump PROGVERSION to 1.23.x.", " - Dpkg::Build::Info: Remove deprecated module.", " - Dpkg::OpenPGP::Backend::Sequoia: Do not run sq/sqv to verify with no", " keyrings. Closes: #1106148", " - Dpkg::OpenPGP::Backend::Sequoia: Run sq in stateless mode for", " verification.", " Suggested by Neal H. Walfield .", " - Dpkg::Compression: Uncomment compression_get_property() deprecation", " warning.", " - Dpkg::Control::FieldsCore: Remove implicit argument use in", " field_transfer_single().", " - Dpkg::Shlibs::SymbolFile: Remove deprecated ignore blacklist support.", " - Dpkg::Source::Package: Move non-native version build check from 3.0", " (quilt) to 2.0.", " - Dpkg::Source::Package: Add format vs version coherence warnings on", " extract.", " - Dpkg::Source::Package::V1: Remove redundant -r option for cp.", " - Test::Dpkg: Refactor all_shell_files() function.", " - Test::Dpkg: Add all maintscripts to all_shell_files().", " - Test::Dpkg: Refactor all_pod_modules() function.", " - Test::Dpkg: Optimize modules skipping in all_pod_modules().", " - Test::Dpkg: Do not export directory getters.", " - Test::Dpkg: Refactor test files scan function.", " - Test::Dpkg: Extend all_shell_files() to return all shell scripts.", " - Dpkg::BuildDriver::DebianRules: Fix uninitialized Perl variables.", " Closes: #1107971", " - Dpkg::BuildDriver::DebianRules: Fix R³ dpkg/target/ values", " handling.", " - Dpkg::BuildDriver::DebianRules: Improve R³ dpkg/ fallback", " matching.", " - Dpkg::BuildTree: Fix needs_root() for R³ with implementation specific", " keywords. See #1107971.", " - Dpkg::SysInfo: Refactor number of processes retrieval into new module.", " - Dpkg::Shlibs: Remove DEB_TARGET_ARCH handling from setup_library_paths().", " Reported by Helmut Grohne .", " - Dpkg::OpenPGP::Backend: Do not mark hint command as translatable.", " - Dpkg::Source::Package: Print a notice when verifying .dsc signatures.", " - Dpkg::Source::Package: Print the keyrings used during verification.", " Closes: #703364", " - Dpkg::OpenPGP: Add own error for missing keyrings in verify functions.", " - Dpkg::BuildDriver::DebianRules: Use a default debian_rules value.", " - Dpkg::Source::Package::V3::Git: Use «git submodule» for its status.", " Suggested by Daniel Gröber . Closes: #1100413", " - Dpkg::OpenPGP: Do not run verify with no keyrings. Closes: #1111617", " - Dpkg::BuildDriver::DebianRules: Unify debian/rules fixer with source", " extract.", " - Dpkg::Source::Package: Remove debian/rules fixer at extract time.", " Closes: #1078764", " - Dpkg::IPC: Deprecate nocheck option and rename it to no_check.", " - Dpkg::Source::Patch: Deprecate nofinish option and rename it to", " no_finish.", " - Dpkg::Deps::Simple: Move dependency regex into its own variable.", " - Dpkg::Compression: Move global regexes into", " compression_get_file_extension_regex.", " - Dpkg::OpenPGP::Backend::GnuPG: Use TEMPLATE instead of argument in", " newdir.", " - Dpkg::Source: Rename $tmp to $tmpdir.", " - Dpkg::OpenPGP::Backend::SOP: Switch _sop_exec to get all options in a", " hash.", " - Dpkg::Shlibs::SymbolFile: Switch wantarray from a ternary operator to", " if/else.", " - Dpkg::Shlibs::SymbolFile: Rename file option to filename.", " - Dpkg::Changelog::Parse: Deprecate file option and rename it to filename.", " - Dpkg::Lock: Restructure file_lock code to make it easier to add fallback.", " - Dpkg::Lock: Avoid using eval for the File::FcntlLock new and lock calls.", " - Dpkg::Lock: Fallback to use File::FcntlLock::Pure if File::FcntlLock", " fails.", " - Dselect::Method::Config: New module.", " - Dselect::Method::Media: New module to refactor get_disk_label().", " - Dpkg::Vendor: Add branch hardening flags to LDFLAGS.", " Thanks to Simon Chopin . Closes: #1115292", " - Test::Dpkg: Rename test_needs_srcdir_switch() to test_chdir_srcdir().", " - Dpkg::Shlibs: Use a hash to track libdir repeats when parsing ld.so.conf.", " - Dpkg::Shlibs: Assign from s///r instead of via topic variable.", " - Dpkg::Shlibs::Objdump::Object: Do not assign readline to $_ on discard.", " - Dpkg::Vendor::Debian: Add comment about current state of -fcf-protection.", " - Dpkg::BuildInfo: Allow LFLAGS (lex/flex) and YFLAGS (yacc/bison)", " variables.", " - Dpkg::BuildInfo: Allow LANGUAGE variable.", " - Dpkg::BuildInfo: Allow LOCPATH, NLSPATH, I18NPATH and GCONV_PATH", " variables.", " - Dpkg::BuildInfo: Allow TZ, TZDIR and DATEMSK variables.", " - Dpkg::BuildInfo: Allow ld.so run-time variables.", " - Dpkg::BuildInfo: Allow resolver specific variables.", " - Dpkg::BuildInfo: Allow POSIXLY_CORRECT and GETCONF_DIR variables.", " - Dpkg::BuildProfiles: Add new build_profile_is_invalid function.", " - Dpkg::BuildProfiles: Make parser more strict. Closes: #1121657", " - Dpkg::Shlibs::Objdump::Object: Add support for \"Version References\"", " symbols. Closes: #1122107", " - Dpkg::Source::Package: Deprecate implicit trusted GnuPG keyrings.", " - Dpkg::OpenPGP::Backend::GnuPG: Deprecate KeyBox formatted keyrings.", " - Dpkg::Vendor::Debian: Use .pgp keyrings instead of .gpg ones.", " - Dpkg::Vendor::Devuan: Use .pgp keyrings instead of .gpg ones.", " - Dpkg::Control::FieldsCore: Deprecate SC field export rules in binary", " stanza. Prompted by Richard Hansen .", " See https://bugs.debian.org/1117566.", " - Dpkg::Control::FieldsCore: Do not autovivify %FIELDS entries on getters.", " - Dpkg::Substvars: Add support for implicit substvars assigned with $=.", " * Make fragments:", " - Switch to use GNU make intcmp instead of relying on shell.", " Prompted by Sean Whitton .", " See https://lists.debian.org/debian-devel/2025/12/msg00039.html.", " * Documentation:", " - doc: Make README.* files fully machine readable.", " - doc: Add space after comment and TODO/XXX marker.", " - man: Clarify when dpkg-maintscript-helpers might need Pre-Depends on", " dpkg. Closes: #1108386", " - man: Document DEB_BUILD_PROFILES in all tools honoring the env variable.", " - man: Add a reference to build profiles in dpkg-buildflags.", " Closes: #1026319", " - man: Itemize deb(5) and deb-split(5).", " - man: Fix DPKG_ROOT documentation in dpkg(1). Closes: #1110873", " - man: Document DPKG_ROOT also as an external environment variable for", " dpkg.", " - man: Switch from .orig-.tar to .orig-.tar.", " Closes: #1095231", " - man: Clarify that the archive described is the ar archive in a .deb.", " - man: Update control examples in deb-control(5) and deb-src-control(5).", " - man: Add lost detail about parts of a deb-changelog(5) getting ignored.", " Reported by Helge Kreutzmann .", " - man: Use proper L<> markup for man page references.", " Reported by Helge Kreutzmann .", " - man: Use «directory» instead of «dir» for dpkg option arguments.", " Reported by Helge Kreutzmann .", " - man: Add missing dpkg in «supported since» sentence in deb(5).", " Reported by Helge Kreutzmann .", " - man: Match plural forms in parentheticals in dpkg-buildflags(1).", " Reported by Helge Kreutzmann .", " - man: Add Multi-Arch field to dpkg-query known fields.", " Thanks to Nicolas Boulenguez . Closes: #1115250", " - doc: Update references to mixed old and new C/C++ coding styles.", " - doc: Document test suite specific environment variables in README.", " - man: Use command instead of action for dpkg command options.", " - man: Clarify build profiles syntax.", " - man: Document accepted syntax for architecture names.", " - man: Improve architecture documentation.", " Prompted by Helmut Grohne .", " - man: Clarify binary stanza default field values and inheritance rules.", " - man: Itemize deb-substvars operators.", " * Code internals:", " - Quote variables in shell scripts.", " - Disable intentional or false-positive shellcheck checks.", " - perl: Switch to use 0o prefix for octal literals.", " - perl: Switch to «use v5.36» instead of «use strict» and «use", " warnings».", " - libdpkg: Do not segfault when adding triggers in no-act mode.", " Closes: #1108192", " - dpkg: Switch from m_asprintf() to str_fmt().", " - dpkg: Fix memory leak in maintscript_fallback().", " - dpkg: Rename maintscript description variable from buf to scriptdesc.", " - libdpkg: Enable meminfo_get_available() on GNU/Hurd.", " Prompted by Helmut Grohne .", " See https://lists.debian.org/debian-dpkg/2024/12/msg00004.html.", " - dpkg: Add a translator comment for the summarized pathname message.", " - libdpkg: Print () after function name in internerr message.", " - libdpkg: Add support for debug_at() to print debug messages at a", " function.", " - libdpkg, dpkg: Use debug_at() instead of debug() to print function name.", " - dpkg: Rename maintscript_exec() warn argument to subproc_opts.", " - dpkg: Pass cidir and cidirrest before scriptname to maintscript", " functions.", " - dpkg: Rename maintscript execution functions.", " - dpkg-gencontrol: Remove unused Dpkg::BuildProfiles import.", " - scripts: Replace some POSIX imports with Fcntl module.", " - libdpkg: Switch status abbreviations from char to strings.", " - perl: Rename regular expression variables from *_re to *_regex.", " - perl: Fix indentation.", " - perl: Remove unused File::Temp imports.", " - perl: Switch from tempfile()/tempdir() to OOP File::Temp interfaces.", " - perl: Move File::Find::find() options into an actual hashref variable.", " - perl: Fix indentation for list, listrefs and hashref variable", " definitions.", " - perl: Fix indentation for function calls with hash, hashref and listref", " arguments.", " - perl: Remove feature pragmas implied by «use VERSION».", " - Change TRANSLATORS comments style to get better extraction by gettext.", " - dselect: Remove unused __END__ markers in methods Perl modules.", " - dselect: Use Dpkg::Version in method scripts instead of calling dpkg.", " - dselect: Fix Perl syntax in methods scripts (duped parenthesis).", " - dselect: Fix Perl syntax in methods scripts (unbalanced quoting).", " - dselect: Use HERE document instead of multi-line string in method script.", " - dselect: Remove unnecessary trailing semicolon in method scripts.", " - dselect: Add missing Version field parsing to method scripts.", " - dselect: Fix variables declaration in «my» operator in media method", " script.", " - dselect: Fix open() calls in method scripts.", " - dselect: Close file descriptors in method scripts.", " - dselect: Use foreach loops instead of C-style loops in method scripts.", " - dselect: Declare Perl variables in method scripts with my.", " - dselect: Use chdir instead of non-existent cd function in method script.", " - dselect: Use {} for regex substitution operators in method scripts.", " - dselect: Remove useless topic variable use in split calls in method", " scripts.", " - dselect: Use foreach instead of map in void context in method script.", " - dselect: Use an array variable instead of reusing @_ in method script.", " - dselect: Do not mix high and low-precedence boolean operators.", " - dselect: Do not use mixed-case variable names in method scripts.", " - dselect: Rewrite all methods install scripts from shell to Perl.", " - dselect: Use intermediate variable for substr handling in method scripts.", " - dselect: Remove unused $iarch variable in method script.", " - dselect: Remove unnecessary intermediate variables in method script.", " - dselect: Use Oo as octal prefix in method scripts.", " - dselect: Do not use unusual delimiter for tr in method script.", " - dselect: Do not use boolean operators for code flow except for dying.", " - dpkg-architecture: Make architecture variables assignment more clear.", " - scripts: Remove unnecessary terminating 0 in scripts.", " - perl: Switch from hard tabs to spaces.", " - perl: Place label before loop keyword.", " - perl: Fix code indentation.", " - perl: Place each statement into its own line.", " - perl: Fix space style.", " - perl: Fix format and contents of code comments.", " - dpkg-shlibdeps: Rename global $i to $depstrength.", " - perl: Place each statement into its own line (round two).", " - perl: Fix format and contents of code comments (round two).", " - perl: Fix space style (round two).", " - perl: Fix code indentation (round two).", " - perl: Remove unnecessary parenthesis around single «my» variables.", " - dselect: Do not use boolean operators for code flow except for dying", " (round two).", " - dselect: Use named variables instead of topic variable in foreach loops.", " - libdpkg: Do an early continue in run_cleanups to reduce nesting level.", " - lib, src: Fix code formatting style of C code (round one).", " - dselect: Rework curses enable/disable functions to reduce nesting level.", " - dselect: Fix code formatting style of C++ code (round one).", " - start-stop-daemon: Change xmalloc() size argument type from int to", " size_t.", " - libcompat: Add support for __format_arg__ attribute.", " - libcompat: Mark gettext functions with __format_arg__ attribute.", " - dselect: Give a context string to keybinding translations.", " - Stop using length limited format strings (%.255s/%.250s/%.100s/%.50s).", " - libdpkg: Double the emergency error message buffer size.", " * Build system:", " - Bump minimal Perl version to 5.36.0.", " - Automatically set test parallelism from make parallelism.", " - Add new authordistcheck convenience rule.", " - Add a function definition to compile for the flags checks.", " - Add support for SHORT_TESTING to avoid running cppcheck.", " - Disable po4a warning that nags about switch to SimplePod.", " - Add an editorconfig file.", " * Packaging:", " - Use local keyword for function scoped variable in maintscript.", " - Add libselinux-dev in Build-Depends as alternative to libselinux1-dev.", " - Remove «Rules-Requires-Root: no», which is the current default.", " * Test suite:", " - Use $* instead of $@ when assigning into a string.", " - Use $() instead of legacy `` for shell command expansion.", " - Update dselect shell methods files list.", " - Check shell files pending fixes from shellcheck tests as TODO.", " - Move Perl version use pragmas as the first things to declare.", " - Pass soname as a scalar in Dpkg::Shlibs::Symbol->lookup_symbol calls.", " - Test that we do not allow «anyfoo» as an arch wildcard.", " - Remove unnecessary semicolon after loop block.", " - Hardcode number of invariant tests instead of dynamically computing them.", " - Move test plan to Test::More import.", " - Do not exit explicitly after a «plan skip_all».", " - Move update-alternatives test plan as early as possible in the test file.", " - Move use_ok() calls immediately after use imports.", " - Switch from «use_ok» to «use ok» for import checks.", " - Remove duplicate semicolon after statement.", " * Localization:", " - Add English UTF-8 translations.", " - Unfuzzy translations after contraction removal changes.", " - Unfuzzy translations after format string changes.", " - Update Catalan translations.", " - Update Portuguese scripts translation.", " - Update Swedish scripts translation.", "", " [ Helge Kreutzmann ]", " * Localization:", " - Update German man pages translation.", " - Update German scripts translation.", "", " [ Sven Joachim ]", " * Localization:", " - Update German programs translation.", "" ], "package": "dpkg", "version": "1.23.0", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Tue, 16 Dec 2025 22:21:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dracut-install", "from_version": { "source_package_name": "dracut", "source_package_version": "110-1ubuntu2", "version": "110-1ubuntu2" }, "to_version": { "source_package_name": "dracut", "source_package_version": "110-7", "version": "110-7" }, "cves": [], "launchpad_bugs_fixed": [ 2133402, 2116183, 2116073, 2116067, 2114683, 2115490, 2111570, 2107477, 1466965, 2105377, 2103540, 2098525, 2091954, 1596220, 2081183, 2081183, 2048990, 2081183, 2073677, 2069290, 2065180, 2069290, 2065180, 2065180, 2053057, 2053057, 2031417, 2031185, 2031185, 2031417 ], "changes": [ { "cves": [], "log": [ "", " * Drop test-skip-failing-MD-RAID-tests-cases-in-test-70-and-71.patch", " * Apply patches to fix failing autopkgtest 14-hooks:", " - fix(kernel-modules-export): use return instead of exit in pre-pivot hook", " - fix(memdisk): use return instead of exit in cmdline hook", " - fix(ppcmac): use return instead of exit in pre-udev hook", " - fix(syslog): use return instead of exit in initqueue/online hook", "" ], "package": "dracut", "version": "110-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 11 Feb 2026 17:43:47 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - autopkgtest: skip too slow 41-full-systemd on arm64 and armhf", " (see LP 2133401)", " - dracut-core: Declare breaking rust-coreutils before version 0.5.0", " * autopkgtest: run 43-kernel-install on arm64 again (LP: #2133402)", " * dracut-test: add run-qemu and test-functions", " * autopkgtest: depend on libarchive13t64 (fixed in systemd 259.1-1)", "" ], "package": "dracut", "version": "110-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2133402 ], "author": "Benjamin Drung ", "date": "Mon, 09 Feb 2026 13:20:58 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - autopkgtest: skip failing 43-kernel-install on arm64 (see LP 2133402)", " - autopkgtest: skip too slow 41-full-systemd on arm64 and armhf", " (see LP 2133401)", " - dracut-core: Declare breaking rust-coreutils before version 0.5.0", "" ], "package": "dracut", "version": "109-11ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 04 Feb 2026 01:04:58 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - Let linux-firmware updates trigger the dracut autopkgtest", " - autopkgtest: skip failing 43-kernel-install on arm64 (see LP 2133402)", " - autopkgtest: skip too slow 41-full-systemd on arm64 and armhf", " (see LP 2133401)", " * Dropped changes:", " - dracut-core: demote binutils to suggests. its only needed when using UEFI", " executables", " - fix(udev-rules): exclude udev rules from snapd. Let snapd ship a Dracut", " config file instead (see LP 2139065)", " - feat(dmsquash-live-autooverlay): support readlink from uutils", " (fixed by rust-coreutils 0.5.0)", " - test: use GNU dd instead of uutil's dd (to work around bug LP 2129037)", " (fixed by rust-coreutils 0.4.0)", " * dracut-core: Declare breaking rust-coreutils before version 0.5.0", "" ], "package": "dracut", "version": "109-9ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 26 Jan 2026 11:47:44 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - dracut-core: demote binutils to suggests. its only needed when using UEFI", " executables", " - Let linux-firmware updates trigger the dracut autopkgtest", " - fix(udev-rules): exclude udev rules from snapd", " - feat(dmsquash-live-autooverlay): support readlink from uutils", " - test: use GNU dd instead of uutil's dd (to work around bug LP 2129037)", " - autopkgtest: skip failing 43-kernel-install on arm64 (see LP 2133402)", " - autopkgtest: skip too slow 41-full-systemd on arm64 and armhf", " (see LP 2133401)", "" ], "package": "dracut", "version": "109-7ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 17 Jan 2026 01:27:36 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - dracut-core: demote binutils to suggests. its only needed when using UEFI", " executables", " - Let linux-firmware updates trigger the dracut autopkgtest", " - fix(udev-rules): exclude udev rules from snapd", " - feat(dmsquash-live-autooverlay): support readlink from uutils", " - test: use GNU dd instead of uutil's dd (to work around bug LP 2129037)", " * test(sysroot): run with --no-hostonly-cmdline", " * autopkgtest: skip failing 43-kernel-install on arm64 (see LP 2133402)", " * autopkgtest: skip too slow 41-full-systemd on arm64 and armhf", " (see LP 2133401)", "" ], "package": "dracut", "version": "109-5ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 01 Dec 2025 11:49:45 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " - autopkgtest: enable tests for s390x again", " - Plymouth hook: Use alternatives instead of plymouth-set-default-theme", " - run upstream-dracut-live autopkgtest on armhf and ppc64el", " - Drop debian-initramfs-post-update.patch. Let update-initramfs call the", " bootloader hooks instead of dracut itself.", " - plymouth: Only pull in the SimpleDRM driver by default", " - Let linux-firmware updates trigger the dracut autopkgtest", " - Cherry-pick some upstream fixes:", " - fix(dracut): use \"-name\" to avoid find matching temporary directory", " - fix(systemd-sysusers): increase ordering from 68 to 78", " - fix(dracut-systemd): avoid matching extra root= substrings in cmdline", " - fix(resume): avoid matching extra resume= substrings in cmdline", " - fix(udev-rules): exclude udev rules from snapd", " * feat(dmsquash-live-autooverlay): support readlink from uutils", " * test: use GNU dd instead of uutil's dd (to work around bug LP 2129037)", "" ], "package": "dracut", "version": "108-8ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 20 Oct 2025 18:37:02 +0200" }, { "cves": [], "log": [ "", " * Default to cpio until 3cpio MIR is complete", " * Cherry-pick some upstream fixes:", " - fix(dracut): use \"-name\" to avoid find matching temporary directory", " - fix(systemd-sysusers): increase ordering from 68 to 78", " - fix(dracut-systemd): avoid matching extra root= substrings in cmdline", " - fix(resume): avoid matching extra resume= substrings in cmdline", " * fix(udev-rules): exclude udev rules from snapd", "" ], "package": "dracut", "version": "108-3ubuntu3", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 04 Sep 2025 23:20:52 +0200" }, { "cves": [], "log": [ "", " * fix(dracut): library directory creation in --kernel-only", "" ], "package": "dracut", "version": "108-3ubuntu2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 14 Aug 2025 20:39:46 +0200" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " - autopkgtest: enable tests for s390x again", " - Plymouth hook: Use alternatives instead of plymouth-set-default-theme", " - run upstream-dracut-live autopkgtest on armhf and ppc64el", " - Drop debian-initramfs-post-update.patch. Let update-initramfs call the", " bootloader hooks instead of dracut itself.", " - plymouth: Only pull in the SimpleDRM driver by default", " - Let linux-firmware updates trigger the dracut autopkgtest", " * Depend on 3cpio instead of cpio", "" ], "package": "dracut", "version": "108-3ubuntu1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 13 Aug 2025 23:08:38 +0200" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " - autopkgtest: enable tests for s390x again", " - Plymouth hook: Use alternatives instead of plymouth-set-default-theme", " - run upstream-dracut-live autopkgtest on armhf and ppc64el", " - Drop debian-initramfs-post-update.patch. Let update-initramfs call the", " bootloader hooks instead of dracut itself.", " - plymouth: Only pull in the SimpleDRM driver by default", " - Let linux-firmware updates trigger the dracut autopkgtest", " * fix(dracut-util): crash if CMDLINE ends with quotation mark", "" ], "package": "dracut", "version": "108-2ubuntu1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Fri, 08 Aug 2025 02:17:39 +0200" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " - autopkgtest: enable tests for s390x again", " - autopkgtest: add TEST-70-ISCSI and TEST-71-ISCSI-MULTI", " - Plymouth hook: Use alternatives instead of plymouth-set-default-theme", " - run upstream-dracut-live autopkgtest on armhf and ppc64el", " - Drop debian-initramfs-post-update.patch. Let update-initramfs call the", " bootloader hooks instead of dracut itself.", " - plymouth: Only pull in the SimpleDRM driver by default", " - Let linux-firmware updates trigger the dracut autopkgtest", "" ], "package": "dracut", "version": "108-1ubuntu1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Tue, 05 Aug 2025 10:40:05 +0200" }, { "cves": [], "log": [ "", " * fix(lsinitrd): resolve initrd to real path (LP: #2116183)", "" ], "package": "dracut", "version": "107-1ubuntu5", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2116183 ], "author": "Benjamin Drung ", "date": "Tue, 08 Jul 2025 23:12:17 +0200" }, { "cves": [], "log": [ "", " * Fix trigger looping when installing dracut (LP: #2116073)", " * Add autopkgtest for lsinitrd", " * Let linux-firmware updates trigger the dracut autopkgtest (LP: #2116067)", "" ], "package": "dracut", "version": "107-1ubuntu4", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2116073, 2116067 ], "author": "Benjamin Drung ", "date": "Mon, 07 Jul 2025 13:30:54 +0200" }, { "cves": [], "log": [ "", " * Skip missing shellcheck on i386", "" ], "package": "dracut", "version": "107-1ubuntu3", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 30 Jun 2025 11:58:56 +0200" }, { "cves": [], "log": [ "", " * autopkgtest: replace qemu-kvm by qemu-system-native", " * update-initramfs: support deferring update by trigger (LP: #2114683)", " * Revert \"Avoid updating the initramfs twice for some cases\" (LP: #2115490)", " * dracut-network: default to systemd-networkd as network manager", " * source.apport: import packaging from apport", " * Fix shellcheck in Debian packaging scripts", " * Run syncheck, TEST-80-GETARGS, and TEST-81-SKIPCPIO during build", "" ], "package": "dracut", "version": "107-1ubuntu2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2114683, 2115490 ], "author": "Benjamin Drung ", "date": "Fri, 27 Jun 2025 16:51:35 +0200" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2111570). Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " - autopkgtest: enable tests for s390x again", " - autopkgtest: add TEST-70-ISCSI and TEST-71-ISCSI-MULTI", " - Plymouth hook: Use alternatives instead of plymouth-set-default-theme", " - run upstream-dracut-live autopkgtest on armhf and ppc64el", " - Add update-initramfs (derived from initramfs-tools)", " - Drop debian-initramfs-post-update.patch. Let update-initramfs call the", " bootloader hooks instead of dracut itself.", " - Add bash completion for update-initramfs", " - Avoid updating the initramfs twice for some cases", " - plymouth: Only pull in the SimpleDRM driver by default", " * autopkgtest: depend on curl for test 60-NFS", " * fix(simpledrm): add =drivers/gpu/drm/panel (LP: #2107477)", "" ], "package": "dracut", "version": "107-1ubuntu1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2111570, 2107477 ], "author": "Benjamin Drung ", "date": "Fri, 23 May 2025 14:54:03 +0200" }, { "cves": [], "log": [ "", " * update-initramfs: add -s parameter", " * Avoid updating the initramfs twice for some cases (LP: #1466965)", " * add simple-drm module", " * plymouth: Only pull in the SimpleDRM driver by default (LP: #2105377)", "" ], "package": "dracut", "version": "106-2ubuntu5", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1466965, 2105377 ], "author": "Benjamin Drung ", "date": "Wed, 02 Apr 2025 10:39:23 +0200" }, { "cves": [], "log": [ "", " * update-initramfs: add --version parameter", " * Add bash completion for update-initramfs (LP: #2103540)", "" ], "package": "dracut", "version": "106-2ubuntu4", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2103540 ], "author": "Benjamin Drung ", "date": "Sat, 22 Mar 2025 00:32:49 +0100" }, { "cves": [], "log": [ "", " * fix(systemd-sysusers): silence \"Creating \" on stderr", "" ], "package": "dracut", "version": "106-2ubuntu3", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Tue, 25 Feb 2025 17:18:28 +0100" }, { "cves": [], "log": [ "", " * Add update-initramfs (derived from initramfs-tools) (LP: #2098525)", " * Drop debian-initramfs-post-update.patch. Let update-initramfs call the", " bootloader hooks instead of dracut itself.", "" ], "package": "dracut", "version": "106-2ubuntu2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2098525 ], "author": "Benjamin Drung ", "date": "Fri, 21 Feb 2025 01:23:03 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - drop 90overlay-root in favor of 90overlayfs (Closes: #1017039)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmraid, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " - autopkgtest: add TEST-70-ISCSI and TEST-71-ISCSI-MULTI", " - Plymouth hook: Use alternatives instead of plymouth-set-default-theme", " - Set -H --hostonly-mode=sloppy as default arguments via a config file.", " * run upstream-dracut-live autopkgtest on armhf and ppc64el", " * move 99-ubuntu.conf to 10-ubuntu.conf (to ease overwriting it)", "" ], "package": "dracut", "version": "106-2ubuntu1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 13 Feb 2025 12:29:40 +0100" }, { "cves": [], "log": [ "", " * test: run RAID and ENC-RAID-LVM with --no-hostonly (LP: #2091954)", "" ], "package": "dracut", "version": "105-2ubuntu5", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2091954 ], "author": "Benjamin Drung ", "date": "Sat, 21 Dec 2024 01:28:52 +0100" }, { "cves": [], "log": [ "", " * Install 99-ubuntu.conf in /usr/lib/dracut/dracut.conf.d instead of /etc", "" ], "package": "dracut", "version": "105-2ubuntu4", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 27 Nov 2024 15:47:41 +0100" }, { "cves": [], "log": [ "", " * Set -H --hostonly-mode=sloppy as default arguments via a config file.", "" ], "package": "dracut", "version": "105-2ubuntu3", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Simon Quigley ", "date": "Sun, 24 Nov 2024 21:46:30 -0600" }, { "cves": [], "log": [ "", " * Plymouth hook: Use alternatives instead of plymouth-set-default-theme", " (LP: #1596220).", "" ], "package": "dracut", "version": "105-2ubuntu2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1596220 ], "author": "Simon Quigley ", "date": "Thu, 21 Nov 2024 14:54:12 -0600" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - run autopkgtest on all architectures", " - Run upstream autopkgtest as root", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - drop 90overlay-root in favor of 90overlayfs (Closes: #1017039)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmraid, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " (LP: #2081183)", " * autopkgtest: also run TEST-20-NFS, TEST-30-ISCSI, and TEST-35-ISCSI-MULTI", "" ], "package": "dracut", "version": "105-2ubuntu1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2081183 ], "author": "Benjamin Drung ", "date": "Thu, 21 Nov 2024 15:16:59 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Run upstream autopkgtest as root", " - disable using DH_VERBOSE=1", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - drop 90overlay-root in favor of 90overlayfs (Closes: #1017039)", " - dracut-core:", " - demote cryptsetup, systemd-cryptsetup, dmraid, dmsetup, kpartx, lvm2,", " and mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - Include all packages with dracut modules in Apport bug reports", " (LP: #2081183)", "" ], "package": "dracut", "version": "105-1ubuntu1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2081183 ], "author": "Benjamin Drung ", "date": "Thu, 14 Nov 2024 14:06:43 +0100" }, { "cves": [], "log": [ "", " * Regenerate only the latest and missing initrds (LP: #2048990)", " * Include all packages with dracut modules in Apport bug reports", " (LP: #2081183)", "" ], "package": "dracut", "version": "103-1ubuntu3", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2048990, 2081183 ], "author": "Benjamin Drung ", "date": "Mon, 30 Sep 2024 15:04:58 +0200" }, { "cves": [], "log": [ "", " * autopkgtest: Drop dmraid upstream test 14 (LP: #2073677)", " * Add systemd-coredump, systemd-cryptsetup, and systemd-repart as", " dependencies for upstream-dracut-core autopkgtest.", "" ], "package": "dracut", "version": "103-1ubuntu2", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2073677 ], "author": "Benjamin Drung ", "date": "Tue, 03 Sep 2024 11:02:08 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - autopkgtest: Enable dmraid upstream test 14", " - Run upstream autopkgtest as root", " - disable using DH_VERBOSE=1", " - dracut-core: add new modules 01systemd-bsod, 01systemd-creds, 90numlock,", " 90pcmcia", " - Explicitly mark 45ifcfg module as not installed", " - Switch to debhelper 13", " - dracut: use await variant of update-initramfs trigger", " - drop udevsettle patch (these kind of patches should be applied upstream)", " - drop nm-path patch (network-manager ships the helpers in /usr/libexec)", " - drop 90overlay-root in favor of 90overlayfs (Closes: #1017039)", " - run autopkgtest with V=2", " - run autopkgtest on all architectures", " - autopkgtest: disable using KVM for ppc64el", " - autopkgtest: set ARCH to dpkg architecture", " - dracut-core:", " - drop recommending pkgconf", " - drop depending directly on libkmod2. dracut-install links against it.", " - demote cryptsetup, dmraid, dmsetup, kpartx, lvm2, mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables", " - recommend zstd instead of pigz and default to zstd", " - Drop dracut-config-generic. Building a generic image is and will be the", " default.", " - Default initrdname to initrd.img-${kernel}", " * All submitted patches were accepted upstream and could be dropped.", "" ], "package": "dracut", "version": "103-1ubuntu1", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Fri, 09 Aug 2024 11:26:10 +0200" }, { "cves": [], "log": [ "", " * Cherry-pick upstream fixes for systemd 256 (LP: #2069290):", " - fix(test): use --add instead of --modules to create test-makeroot", " - test: avoid writing to rootfs as it might be read-only", " * fix(dracut-initramfs-restore.sh): correct initrd globbing", " * feat(lsinitrd.sh): support configurable initrd filenames", " * Default initrdname to initrd.img-${kernel}", " * Cherry-pick upstream performance fixes (LP: #2065180):", " - perf(dracut-install): memoize find_kmod_module_from_sysfs_node", " - perf(dracut-install): use driver/module sysfs dirs for module name", " * test: virtual hardware watchdog not available on s390x", "" ], "package": "dracut", "version": "102-3ubuntu4", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2069290, 2065180 ], "author": "Benjamin Drung ", "date": "Mon, 08 Jul 2024 20:37:51 +0200" }, { "cves": [], "log": [ "", " * autopkgtest: set ARCH to dpkg architecture", " * dracut-core:", " - drop recommending pkgconf", " - drop depending directly on libkmod2. dracut-install links against it.", " - demote cryptsetup, dmraid, dmsetup, kpartx, lvm2, mdadm to suggests", " - demote binutils to suggests. its only needed when using UEFI executables.", " - recommend zstd instead of pigz and default to zstd", " * Drop dracut-config-generic. Building a generic image is and will be the", " default.", "" ], "package": "dracut", "version": "102-3ubuntu3", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 27 Jun 2024 23:07:12 +0200" }, { "cves": [], "log": [ "", " * dracut: use await variant of update-initramfs trigger", " * fix(shell-completion): remove hashbang from bash completions", " * drop udevsettle patch (these kind of patches should be applied upstream)", " * drop nm-path patch (network-manager ships the helpers in /usr/libexec)", " * drop 90overlay-root in favor of 90overlayfs (Closes: #1017039)", " * run autopkgtest with V=2", " * autopkgtest: depend on tpm2-tools for systemd-pcrphase (LP: #2069290)", " * run autopkgtest on all architectures", " * autopkgtest: disable using KVM for ppc64el", "" ], "package": "dracut", "version": "102-3ubuntu2", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2069290 ], "author": "Benjamin Drung ", "date": "Fri, 14 Jun 2024 01:57:17 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - autopkgtest: Enable dmraid upstream test 14", " - Run upstream autopkgtest as root", " - disable using DH_VERBOSE=1", " - perf(dracut-install): preload kmod resources for quicker module lookup", " (LP: #2065180)", " * dracut-core: add new modules 01systemd-bsod, 01systemd-creds, 90numlock,", " 90pcmcia", " * Explicitly mark 45ifcfg module as not installed", " * Switch to debhelper 13", " * test(RAID-DEG): fix running test out of tree", "" ], "package": "dracut", "version": "102-3ubuntu1", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2065180 ], "author": "Benjamin Drung ", "date": "Wed, 12 Jun 2024 19:38:43 +0200" }, { "cves": [], "log": [ "", " * perf(dracut-install): preload kmod resources for quicker module lookup", " (LP: #2065180)", "" ], "package": "dracut", "version": "060+5-8ubuntu2", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2065180 ], "author": "Benjamin Drung ", "date": "Tue, 04 Jun 2024 16:33:13 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - autopkgtest: Enable dmraid upstream test 14", " - Run upstream autopkgtest as root", " - disable using DH_VERBOSE=1", " - d/p/ldconfig-real.patch: make sure ldconfig.real is installed where", " needed (LP: #2053057)", "" ], "package": "dracut", "version": "060+5-8ubuntu1", "urgency": "medium", "distributions": "oracular", "launchpad_bugs_fixed": [ 2053057 ], "author": "Benjamin Drung ", "date": "Tue, 21 May 2024 17:38:39 +0200" }, { "cves": [], "log": [ "", " * No change rebuild for 64-bit time_t and frame pointers.", "" ], "package": "dracut", "version": "060+5-1ubuntu3", "urgency": "high", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 08 Apr 2024 17:56:43 +0200" }, { "cves": [], "log": [ "", " * d/p/ldconfig-real.patch: make sure ldconfig.real is installed where needed", " (LP: #2053057)", "" ], "package": "dracut", "version": "060+5-1ubuntu2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2053057 ], "author": "Nick Rosbrook ", "date": "Tue, 13 Feb 2024 11:26:56 -0500" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - fix(test): running tests no longer requires to be root", " - Add modules 80test, 80test-makeroot, and 80test-root to dracut-core", " - Add autopkgtest to run upstream test cases on amd64 (LP: #2031417)", " - Split dracut-install into separate package for initramfs-tools", " (LP: #2031185)", " * test(FULL SYSTEMD): no need to include dbus to the target rootfs", " * Drop dbus-broker from autopkgtest", "" ], "package": "dracut", "version": "060+5-1ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2031417, 2031185 ], "author": "Benjamin Drung ", "date": "Wed, 07 Feb 2024 18:44:09 +0100" }, { "cves": [], "log": [ "", " * Split dracut-install into separate package for initramfs-tools", " (LP: #2031185)", " * Update out-of-tree patches to final version merged upstream", " * Cherry-pick upstream fixes:", " - fix(dracut-systemd): rootfs-generator issues", " - test: increase test VM memory from 512M to 1024M to avoid OOM killer", " * Address lintian complains:", " - Remove empty directories in /usr/lib/dracut/modules.d", " - Add ${misc:Depends} to all binary package dependencies", " - Override lintian complaint executable-in-usr-lib (reported upstream)", " - Override false positive about missing init.d scripts", " * Install files from debian/tmp to make dh_missing happy", " * Install dracut.kernel.7 man page (link to dracut.cmdline.7)", " * Restrict autopkgtest to amd64 (other architectures need upstrem work)", " * autopkgtest: run more upstream test cases", "" ], "package": "dracut", "version": "059-4ubuntu2", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2031185 ], "author": "Benjamin Drung ", "date": "Tue, 22 Aug 2023 16:34:06 +0200" }, { "cves": [], "log": [ "", " * fix(test): running tests no longer requires to be root", " * test: Make dracut and modules.d directory configurable", " * Add upstream autopkgtest to run four test cases (LP: #2031417)", " * Add modules 80test, 80test-makeroot, and 80test-root to dracut-core", "" ], "package": "dracut", "version": "059-4ubuntu1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2031417 ], "author": "Benjamin Drung ", "date": "Wed, 16 Aug 2023 02:02:13 +0200" } ], "notes": null, "is_version_downgrade": true }, { "name": "e2fsprogs", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu2", "version": "1.47.2-3ubuntu2" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu4", "version": "1.47.2-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2138219, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * d/rules: fix pkgconfig call that results in inability", " to find udev rules.d in dh_install. Patch supplied by", " Helmut Grohne in Debian bug 1126636. (LP: #2138219)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138219 ], "author": "John Chittum ", "date": "Fri, 13 Feb 2026 07:17:00 -0500" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:34:31 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "eject", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ethtool", "from_version": { "source_package_name": "ethtool", "source_package_version": "1:6.15-3build1", "version": "1:6.15-3build1" }, "to_version": { "source_package_name": "ethtool", "source_package_version": "1:6.19-1", "version": "1:6.19-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release: 6.19", "", " [ Ben Hutchings ]", " * d/watch: Update to avoid uscan bug #1112065", "", " [ Salvatore Bonaccorso ]", " * Declare compliance with Debian policy 4.7.3", " * debian/control: Remove \"Priority: optional\" (default)", " * Update copyright years for debian/* packaging files", " * d/u/signing-key.asc: Add GPG key for Jakub Kicinski", " * d/u/signing-key.asc: Strip extra signatures from GPG key for Jakub", " Kicinski", "" ], "package": "ethtool", "version": "1:6.19-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Salvatore Bonaccorso ", "date": "Sun, 15 Feb 2026 21:14:49 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "exfatprogs", "from_version": { "source_package_name": "exfatprogs", "source_package_version": "1.3.1-1", "version": "1.3.1-1" }, "to_version": { "source_package_name": "exfatprogs", "source_package_version": "1.3.2-1", "version": "1.3.2-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", " * Update to Standards-Version 4.7.3, remove the Priority field.", " * Fix debian/watch file (again) to pull the released tar.xz and .asc", " file, so we can use uscan for both and get the signature validation.", "" ], "package": "exfatprogs", "version": "1.3.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sven Hoexter ", "date": "Tue, 10 Mar 2026 16:02:42 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "file", "from_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build1", "version": "1:5.46-5build1" }, "to_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build2", "version": "1:5.46-5build2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "file", "version": "1:5.46-5build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:37:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "flash-kernel", "from_version": { "source_package_name": "flash-kernel", "source_package_version": "3.110ubuntu1", "version": "3.110ubuntu1" }, "to_version": { "source_package_name": "flash-kernel", "source_package_version": "3.110ubuntu2", "version": "3.110ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2138618, 2141432 ], "changes": [ { "cves": [], "log": [ "", " [ Dave Jones ]", " * Split out piboot-try package (LP: #2138618)", " - flash-kernel-piboot is now a transitional package pointing to piboot-try", " - All the delta specific to the Raspberry Pi is stripped out", " * Removed changes from prior merge:", " - Add support for Raspberry Pi 2, 3, 3+, CM3, CM3+, and 4 using a unified", " bootscript (replaces upstream's entries)", " - Update pi bootscript to support all flash-kernel vars, including", " calculated devtype and partition for future USB boot support", " - Add entry for Raspberry Pi 3A+", " - Add entry for Raspberry Pi CM4", " - Add entry for Raspberry Pi 400", " - Import UC20 updates to the rpi bootscript from the snappy-dev/image", " PPA", " - Add Kernel-Flavors check to Raspberry Pi entries", " - Support \"raspi\" kernel flavor", " - Drop the \"systemd.gpt_auto=0 rd.systemd.unit=basic.target\" values from", " the snapd_standard_params, which have not been needed since pre-GA of", " UC20 and were removed in pc gadget on 20th April 2020. (LP: 1933093)", " - Add \"pi\" value for the \"Method\" field which copies all dtbs and overlays", " to the boot partition and provides defaults for the boot paths of the", " kernel, initrd, and u-boot script.", " - This fixes upgrades to support the Pi 4 on Bionic", " - Permit initrd to be missing in flash-kernel", " - Make U-boot optional in the \"pi\" method. From Groovy onwards, U-Boot", " will be an option in the boot chain but not activated by default. For", " the time being, the U-Boot-Script-Name will remain in the Pi entries,", " but this commit permits it to be blank in future.", " - Copy the Pi's bootloader firmware. At present, the Pi's bootloader", " firmware is being copied to the boot partition by the postinst of the", " linux-firmware-raspi2 package. However, flash-kernel should be", " responsible for copying *everything* necessary to boot the Linux", " kernel, hence this responsibility should be transferred to flash-", " kernel.", " - Ensure tests work independently of sort implementation", " - Add pattern matching for machines", " - A requirement has come up to permit a simple form of pattern matching", " (specifically shell-style globbing) in the Machine field of the", " database. This commit implements this via a \"case\" match.", " - Add minor board revisions to db/all.db", " - Added entries for the Pi 4B rev 1.5, and moved CM4 and 400 models to", " their own entries for the sake of clarity", " - Added note in db/all.db above Pi entries about \"incorrect\" DTB-Id (LP:", " 1928314)", " - Install u-boot binaries in addition to u-boot scripts for the Pi", " - Copy overlay_map.dtb into overlays/ sub-directory instead of the root of", " the boot partition (LP: 1918110)", " - Include overlays/README in the files copied by Method: pi", " - Use generic-revision catch-alls for each model rather than relying on a", " single Pi catch-all to avoid a confusing selection of \"the one DTB\" for", " a given board (even though all other DTBs will still be copied anyway)", " (LP: 2038087)", " - Add missing Pi Zero 2W entry", " - Add missing Pi 5B entry", " - Add raspi-realtime kernel flavor to bcm2711 and bcm2712 based Pi boards", " (LP: 2051960)", " - db/all.db: Fix Raspberry Pi 2 entry for noble. Here we can assume it is", " definitely the 64-bit revision (1.2) board, but this change must not be", " backported earlier than noble where this assumption does not hold (LP:", " 2060856)", " - db/all.db: add CM5 entry (LP: 2086774)", " - db/all.db: Add entry for Raspberry Pi 500 (LP: 2092216)", " - db/all.db: Add CM5 Lite to flash-kernel database", " - Implement an A/B boot mechanism for the Raspberry Pi. This adds the new", " flash-kernel-piboot package, which contains the new piboot-try-reboot", " and piboot-try-validate services", " - Enable the hardware watchdog during migration of the boot configuration", " - Report failure of new boot assets in motd", " - Show --help if no options specified to piboot-try", " - Ensure validation is done before motd displays", " - Do not execute piboot-try when method != pi-try", "", " [ Heinrich Schuchardt ]", " * db/all.db: Add new machines (LP: #2141432):", " - Xunlong Orange Pi RV", " - SpacemiT K3 Pico-ITX", " - ultrarisc,dp1000", "" ], "package": "flash-kernel", "version": "3.110ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138618, 2141432 ], "author": "Dave Jones ", "date": "Wed, 11 Feb 2026 21:59:28 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "fwupd", "from_version": { "source_package_name": "fwupd", "source_package_version": "2.0.19-1ubuntu1", "version": "2.0.19-1ubuntu1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "2.1.1-1ubuntu1", "version": "2.1.1-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2146332, 2143688, 2142298, 2139611 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (LP: #2146332)", " * Drop patches merged upstream.", " * Merge with Debian unstable. Remaining changes:", " - d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", "" ], "package": "fwupd", "version": "2.1.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146332 ], "author": "Mario Limonciello ", "date": "Thu, 26 Mar 2026 12:46:28 -0500" }, { "cves": [], "log": [ "", " * New upstream version (2.1.1)", "" ], "package": "fwupd", "version": "2.1.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 25 Mar 2026 13:18:21 -0500" }, { "cves": [], "log": [ "", " * d/patches/dell-uod-behavior.patch: Backport from 2_0_X branch to fix", " UOD behavior for some Dell docks. (LP: #2143688)", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143688 ], "author": "Mario Limonciello ", "date": "Mon, 09 Mar 2026 11:48:10 -0500" }, { "cves": [], "log": [ "", " * Enable UMA carveout feature (LP: #2142298)", " * Merge from Debian unstable. Remaining changes:", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", " - d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142298 ], "author": "Mario Limonciello ", "date": "Fri, 27 Feb 2026 20:24:47 -0600" }, { "cves": [], "log": [ "", " * New upstream version (2.0.20)", "" ], "package": "fwupd", "version": "2.0.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Thu, 26 Feb 2026 06:49:36 -0600" }, { "cves": [], "log": [ "", " * Fix snapd bad request on db updates (LP: #2139611):", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", "" ], "package": "fwupd", "version": "2.0.19-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139611 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 12:12:45 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "gcc-16-base:armhf", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260217-1ubuntu2", "version": "16-20260217-1ubuntu2" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260315-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:22:54 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260315).", " * Pass configure flags for libgcobol cross builds.", " * For backports, require binutils (>= 2.40) on riscv64.", " * libga68-dev: Depend on libgc-dev. Closes: #1130580.", " * Fix PR ada/107475 also for armhf and s390x.", " * Disable dwz on alpha, see PR dwz/33990.", " * Refresh patches.", " * Update libgcc-s, libcc1, lib*asan, liblsan, libtsan and libgcobol", " symbol files.", "" ], "package": "gcc-16", "version": "16-20260315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:17:23 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * On riscv64, default again to RVA23.", " * Disable bootstrap build on riscv64 entirely for a quick build.", "" ], "package": "gcc-16", "version": "16-20260308-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:49:05 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * Refresh cross-installation-location patch.", "" ], "package": "gcc-16", "version": "16-20260308-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:34:40 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260307).", " * libsanitizer/TSan: Fix determining static TLS blocks. Addresses: #1126312.", " * Refresh patches.", "" ], "package": "gcc-16", "version": "16-20260307-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Mar 2026 09:07:18 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226).", " * On riscv64, default again to RVA23.", "" ], "package": "gcc-16", "version": "16-20260226-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:09:01 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226). Also closes: #1128648.", " * Disable again profiled+lto build on armhf.", " * Fix s390x backport builds.", " * Disable dwz on riscv64, see https://sourceware.org/bugzilla/show_bug.cgi?id=33929.", " * Disable profiled+lto build. See https://gcc.gnu.org/PR124238.", "" ], "package": "gcc-16", "version": "16-20260226-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:00:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-girepository-3.0:armhf", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.88.0-1", "version": "2.88.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " - Work around a build regression in NetworkManager with 2.87.x", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.88.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Mon, 16 Mar 2026 21:37:12 +0000" }, { "cves": [], "log": [ "", " * New upstream release", " * d/control: Bump gi-docgen to 2026.1, matching upstream CI", " * d/copyright: Remove comment line.", " The machine-readable syntax doesn't actually allow these. Use", " a double blank line as the divider between Files and standalone", " License paragraphs instead.", "" ], "package": "glib2.0", "version": "2.87.5-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Fri, 13 Mar 2026 16:54:09 +0000" }, { "cves": [], "log": [ "", " * Update the source using the upstream-generated-tarball", " * debian/control: Update breaks on old gjs and pygobject.", " Versions prior to these have not the fallback code to support the", " GLib/GLibUnix split", "" ], "package": "glib2.0", "version": "2.87.3-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Fri, 27 Feb 2026 00:24:46 +0100" }, { "cves": [], "log": [ "", " * New upstream release:", " Upstream has tagged a new release but not produced tarballs yet, due to CI", " problems. Let's get this (the tagged contents) early in experimental", " though, so we can start testing it, but using a pre-version so that we can", " later import the actual 2.87.3. tarball.", " * d/p: Refresh and drop applied patches", " * debian/libglib2.0-0t64.symbols: Update symbols", "" ], "package": "glib2.0", "version": "2.87.3~gitlab0-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Thu, 26 Feb 2026 00:48:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-glib-2.0:armhf", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.88.0-1", "version": "2.88.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " - Work around a build regression in NetworkManager with 2.87.x", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.88.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Mon, 16 Mar 2026 21:37:12 +0000" }, { "cves": [], "log": [ "", " * New upstream release", " * d/control: Bump gi-docgen to 2026.1, matching upstream CI", " * d/copyright: Remove comment line.", " The machine-readable syntax doesn't actually allow these. Use", " a double blank line as the divider between Files and standalone", " License paragraphs instead.", "" ], "package": "glib2.0", "version": "2.87.5-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Fri, 13 Mar 2026 16:54:09 +0000" }, { "cves": [], "log": [ "", " * Update the source using the upstream-generated-tarball", " * debian/control: Update breaks on old gjs and pygobject.", " Versions prior to these have not the fallback code to support the", " GLib/GLibUnix split", "" ], "package": "glib2.0", "version": "2.87.3-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Fri, 27 Feb 2026 00:24:46 +0100" }, { "cves": [], "log": [ "", " * New upstream release:", " Upstream has tagged a new release but not produced tarballs yet, due to CI", " problems. Let's get this (the tagged contents) early in experimental", " though, so we can start testing it, but using a pre-version so that we can", " later import the actual 2.87.3. tarball.", " * d/p: Refresh and drop applied patches", " * debian/libglib2.0-0t64.symbols: Update symbols", "" ], "package": "glib2.0", "version": "2.87.3~gitlab0-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Thu, 26 Feb 2026 00:48:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "git", "from_version": { "source_package_name": "git", "source_package_version": "1:2.51.0-1ubuntu1", "version": "1:2.51.0-1ubuntu1" }, "to_version": { "source_package_name": "git", "source_package_version": "1:2.53.0-1ubuntu1", "version": "1:2.53.0-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Build diff-highlight in the contrib dir", " - Don't build-depend on subversion on i386, it is not reasonable to", " support on the partial arch.", "" ], "package": "git", "version": "1:2.53.0-1ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 02 Mar 2026 18:55:34 +0100" }, { "cves": [], "log": [ "", " * new upstream release (see RelNotes/2.52.0.adoc, 2.53.0.adoc).", " * debian/control: Standards-Version: 4.7.2. The main relevant", " change is that packages may not break (but are permitted to", " error out when asked to display documentation) when manpages", " are not present; \"git help\" already fulfills this requirement by", " passing on the message for a missing page from \"man\" to the", " caller.", "" ], "package": "git", "version": "1:2.53.0-1", "urgency": "low", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jonathan Nieder ", "date": "Sun, 01 Mar 2026 22:31:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "git-man", "from_version": { "source_package_name": "git", "source_package_version": "1:2.51.0-1ubuntu1", "version": "1:2.51.0-1ubuntu1" }, "to_version": { "source_package_name": "git", "source_package_version": "1:2.53.0-1ubuntu1", "version": "1:2.53.0-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Build diff-highlight in the contrib dir", " - Don't build-depend on subversion on i386, it is not reasonable to", " support on the partial arch.", "" ], "package": "git", "version": "1:2.53.0-1ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 02 Mar 2026 18:55:34 +0100" }, { "cves": [], "log": [ "", " * new upstream release (see RelNotes/2.52.0.adoc, 2.53.0.adoc).", " * debian/control: Standards-Version: 4.7.2. The main relevant", " change is that packages may not break (but are permitted to", " error out when asked to display documentation) when manpages", " are not present; \"git help\" already fulfills this requirement by", " passing on the message for a missing page from \"man\" to the", " caller.", "" ], "package": "git", "version": "1:2.53.0-1", "urgency": "low", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jonathan Nieder ", "date": "Sun, 01 Mar 2026 22:31:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnu-coreutils", "from_version": { "source_package_name": "coreutils", "source_package_version": "9.7-3ubuntu1", "version": "9.7-3ubuntu1" }, "to_version": { "source_package_name": "coreutils", "source_package_version": "9.7-3ubuntu2", "version": "9.7-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2137373 ], "changes": [ { "cves": [], "log": [ "", " * Fix slow performance of 'du' on large directories (>= 10K files)", " on Lustre filesystems by skipping inode sorting. The default", " behaviour of sorting dirents by inode numbers negatively impacts", " performance on Lustre because it interferes with Lustre's ability", " to prefetch file metadata via statahead. (LP: #2137373)", " - d/p/lp2137373-skip-dirent-inode-sorting-for-lustre.patch", "" ], "package": "coreutils", "version": "9.7-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137373 ], "author": "Munir Siddiqui ", "date": "Fri, 23 Jan 2026 18:41:52 +0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "grub-efi-arm", "from_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu1", "version": "2.14-2ubuntu1" }, "to_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu2", "version": "2.14-2ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2142892, 2142695 ], "changes": [ { "cves": [], "log": [ "", " * Handle const generic returns, fixes glibc 2.43 FTBFS (LP: #2142892)", " * Fix ISO boot on POWER (LP: #2142695)", "" ], "package": "grub2", "version": "2.14-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142892, 2142695 ], "author": "Mate Kukri ", "date": "Fri, 06 Mar 2026 14:04:58 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "grub-efi-arm-bin", "from_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu1", "version": "2.14-2ubuntu1" }, "to_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu2", "version": "2.14-2ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2142892, 2142695 ], "changes": [ { "cves": [], "log": [ "", " * Handle const generic returns, fixes glibc 2.43 FTBFS (LP: #2142892)", " * Fix ISO boot on POWER (LP: #2142695)", "" ], "package": "grub2", "version": "2.14-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142892, 2142695 ], "author": "Mate Kukri ", "date": "Fri, 06 Mar 2026 14:04:58 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "grub-efi-arm-unsigned", "from_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu1", "version": "2.14-2ubuntu1" }, "to_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu2", "version": "2.14-2ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2142892, 2142695 ], "changes": [ { "cves": [], "log": [ "", " * Handle const generic returns, fixes glibc 2.43 FTBFS (LP: #2142892)", " * Fix ISO boot on POWER (LP: #2142695)", "" ], "package": "grub2", "version": "2.14-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142892, 2142695 ], "author": "Mate Kukri ", "date": "Fri, 06 Mar 2026 14:04:58 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "grub2-common", "from_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu1", "version": "2.14-2ubuntu1" }, "to_version": { "source_package_name": "grub2", "source_package_version": "2.14-2ubuntu2", "version": "2.14-2ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2142892, 2142695 ], "changes": [ { "cves": [], "log": [ "", " * Handle const generic returns, fixes glibc 2.43 FTBFS (LP: #2142892)", " * Fix ISO boot on POWER (LP: #2142695)", "" ], "package": "grub2", "version": "2.14-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142892, 2142695 ], "author": "Mate Kukri ", "date": "Fri, 06 Mar 2026 14:04:58 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gzip", "from_version": { "source_package_name": "gzip", "source_package_version": "1.13-1ubuntu4", "version": "1.13-1ubuntu4" }, "to_version": { "source_package_name": "gzip", "source_package_version": "1.14-1~exp2ubuntu1", "version": "1.14-1~exp2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2142871, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian experimental (LP: #2142871). Remaining changes:", " - debian/rules: Enable DFLTCC optimisations on s390x by default.", " * Dropped changes (fixed upstream):", " - d/p/0001-maint-fix-s390-buffer-flushes.patch", " - d/rules: define \"alignas\" to fix FTBFS on s390x", " * Cherry-pick upstream fixes:", " - gzip: fix uninitialized read", " - gzip: fix another uninitialized read", " - gzip: fix s390x build failure", "" ], "package": "gzip", "version": "1.14-1~exp2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142871 ], "author": "Benjamin Drung ", "date": "Fri, 27 Feb 2026 18:02:51 +0100" }, { "cves": [], "log": [ "", " * d/rules: configure set /bin/sh and grep; autoreconf cleanup", "" ], "package": "gzip", "version": "1.14-1~exp2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Milan Kupcevic ", "date": "Sun, 13 Apr 2025 09:27:04 -0400" }, { "cves": [], "log": [ "", " * new upstream release", "" ], "package": "gzip", "version": "1.14-1~exp1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Milan Kupcevic ", "date": "Sat, 12 Apr 2025 03:18:53 -0400" }, { "cves": [], "log": [ "", " * new upstream release", " * d/patches: quilt refresh", " * d/copyright: update", " * d/rules: use debhelper leverage", " * d/control: comply to standards version 4.7.2", " * d/patches/disable-Werror.patch: drop", "" ], "package": "gzip", "version": "1.13.56~e549-1~exp1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Milan Kupcevic ", "date": "Sun, 06 Apr 2025 12:59:34 -0400" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "gzip", "version": "1.13-1ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:43:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ibverbs-providers:armhf", "from_version": { "source_package_name": "rdma-core", "source_package_version": "61.0-2ubuntu1", "version": "61.0-2ubuntu1" }, "to_version": { "source_package_name": "rdma-core", "source_package_version": "61.0-2ubuntu3", "version": "61.0-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2140324 ], "changes": [ { "cves": [], "log": [ "", " * d/p/providers-mana-no-check-cqid.patch: Patching from upstream's", " commit for providers/mana: do not check cqid on creation", " (LP: #2140324).", "" ], "package": "rdma-core", "version": "61.0-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2140324 ], "author": "Miriam España Acebal ", "date": "Wed, 04 Feb 2026 12:56:19 +0100" }, { "cves": [], "log": [ "", " * No-change rebuild with Python 3.14 as default", "" ], "package": "rdma-core", "version": "61.0-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Thu, 22 Jan 2026 21:54:05 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "info", "from_version": { "source_package_name": "texinfo", "source_package_version": "7.2-5", "version": "7.2-5" }, "to_version": { "source_package_name": "texinfo", "source_package_version": "7.2-5ubuntu2", "version": "7.2-5ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2144471, 2125808 ], "changes": [ { "cves": [], "log": [ "", " * Handle comments correctly in update-info-dir (LP: #2144471)", "" ], "package": "texinfo", "version": "7.2-5ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144471 ], "author": "Mitchell Augustin ", "date": "Wed, 25 Mar 2026 13:25:03 -0500" }, { "cves": [], "log": [ "", " * Read and export variables instead of sourcing /etc/environment", " (LP: #2125808)", "" ], "package": "texinfo", "version": "7.2-5ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125808 ], "author": "Mitchell Augustin ", "date": "Wed, 28 Jan 2026 15:57:03 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "initramfs-tools-bin", "from_version": { "source_package_name": "initramfs-tools", "source_package_version": "0.150ubuntu7", "version": "0.150ubuntu7" }, "to_version": { "source_package_name": "initramfs-tools", "source_package_version": "0.150ubuntu8", "version": "0.150ubuntu8" }, "cves": [], "launchpad_bugs_fixed": [ 2142121 ], "changes": [ { "cves": [], "log": [ "", " * d/t/run-qemu: fix arm64 tests failure because of cpu=max", " (LP: #2142121)", "" ], "package": "initramfs-tools", "version": "0.150ubuntu8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142121 ], "author": "Hector Cao ", "date": "Fri, 27 Feb 2026 11:57:35 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "initramfs-tools-core", "from_version": { "source_package_name": "initramfs-tools", "source_package_version": "0.150ubuntu7", "version": "0.150ubuntu7" }, "to_version": { "source_package_name": "initramfs-tools", "source_package_version": "0.150ubuntu8", "version": "0.150ubuntu8" }, "cves": [], "launchpad_bugs_fixed": [ 2142121 ], "changes": [ { "cves": [], "log": [ "", " * d/t/run-qemu: fix arm64 tests failure because of cpu=max", " (LP: #2142121)", "" ], "package": "initramfs-tools", "version": "0.150ubuntu8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142121 ], "author": "Hector Cao ", "date": "Fri, 27 Feb 2026 11:57:35 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "install-info", "from_version": { "source_package_name": "texinfo", "source_package_version": "7.2-5", "version": "7.2-5" }, "to_version": { "source_package_name": "texinfo", "source_package_version": "7.2-5ubuntu2", "version": "7.2-5ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2144471, 2125808 ], "changes": [ { "cves": [], "log": [ "", " * Handle comments correctly in update-info-dir (LP: #2144471)", "" ], "package": "texinfo", "version": "7.2-5ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144471 ], "author": "Mitchell Augustin ", "date": "Wed, 25 Mar 2026 13:25:03 -0500" }, { "cves": [], "log": [ "", " * Read and export variables instead of sourcing /etc/environment", " (LP: #2125808)", "" ], "package": "texinfo", "version": "7.2-5ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125808 ], "author": "Mitchell Augustin ", "date": "Wed, 28 Jan 2026 15:57:03 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "keyboard-configuration", "from_version": { "source_package_name": "console-setup", "source_package_version": "1.237ubuntu1", "version": "1.237ubuntu1" }, "to_version": { "source_package_name": "console-setup", "source_package_version": "1.237ubuntu3", "version": "1.237ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * Keyboard/kbdcompiler: Fix checking ckbcomp success.", " * Keyboard/ckbcomp: Support symbols = [...].", "" ], "package": "console-setup", "version": "1.237ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Mon, 02 Mar 2026 16:21:56 +0200" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "console-setup", "version": "1.237ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:24:29 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "kpartx", "from_version": { "source_package_name": "multipath-tools", "source_package_version": "0.12.0-1ubuntu2", "version": "0.12.0-1ubuntu2" }, "to_version": { "source_package_name": "multipath-tools", "source_package_version": "0.14.3-2ubuntu1", "version": "0.14.3-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144005, 2135118, 2080474, 2142903 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2144005). Remaining changes:", " - d/rules: don't build the multipath-tools binary package on i386; only kpartx.", " - d/p/enable-find-multipaths.patch: re-enable find_multipaths by", " default -- see the removed 'add_find-multipaths.patch' (LP 1463046)", " - d/NEWS: add removal of kpartx-boot package", " - d/rules: remove -Bsymbolic-functions from LDFLAGS", " - d/rules: install friendly names multipath.conf by default", " - d/initramfs/scripts/init-top: ensure the bindings file exists before", " calling multipathd -B in the initramfs. This prevents multipathd -B from", " failing and exiting immediately (LP #2120444).", " - d/p/testsuite-no-lto: disable lto to workaround testsuite symbol wrapping", " (LP #2135118)", " * Dropped changes:", " - d/p/multipath-tools-Fix-ISO-C23-errors-with-strchr:", " Fix ISO C23 errors with strchr()", " [upstream in 0.14.0]", " - d/{rules,control}: enable testsuite (LP #2135118)", " [in 0.14.3-1]", " - d/initramfs: move the script stopping multipathd to init-bottom", " [in 0.13.0-1]", " - d/t/initramfs", " + determine extracted main cpio path dynamically", " + drop determine extracted main cpio path dynamically", " [cancel each other out]", "" ], "package": "multipath-tools", "version": "0.14.3-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144005 ], "author": "Jonas Jelten ", "date": "Mon, 16 Mar 2026 18:17:43 +0100" }, { "cves": [], "log": [ "", " * [9ef22a2] Run testsuite only during Arch-builds", " * [2a6ef4b] Disable testsuite on loong64", "" ], "package": "multipath-tools", "version": "0.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 11:49:26 +0100" }, { "cves": [], "log": [ "", " [ Jonas Jelten ]", " * [d6c9eba] Enable testsuite (LP: #2135118)", "", " [ Chris Hofstaedtler ]", " * [5c1230c] New upstream version 0.14.3 (Closes: #1128696)", " * [6e2361a] Rebase patches, use WARN_ONLY=1 in make invocation", "" ], "package": "multipath-tools", "version": "0.14.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2135118 ], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 10:37:01 +0100" }, { "cves": [], "log": [ "", " * [c8842fd] New upstream version 0.13.0", " * [6951eae] d/rules: enable verbose upstream build", " * [3d82dad] initramfs: stop multipathd in init-bottom, not local-bottom.", " Ubuntu noticed that local-* scripts are not executed on systems with", " disks on network. (LP: #2080474)", " * [fc4b508] d/t/control: add linux-image-generic for Ubuntu", " * [1df3a76] d/libmpathpersist0.symbols: tighten internal symbols", " * [6aff684] initramfs: stop requesting old dmsetup_env hack", "" ], "package": "multipath-tools", "version": "0.13.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2080474 ], "author": "Chris Hofstaedtler ", "date": "Sat, 20 Dec 2025 14:16:27 +0100" }, { "cves": [], "log": [ "", " * d/t/initramfs: drop determine extracted main cpio path dynamically", " * multipath-tools: Fix ISO C23 errors with strchr() (LP: #2142903)", "" ], "package": "multipath-tools", "version": "0.12.0-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142903 ], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 16:48:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "krb5-locales", "from_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2", "version": "1.22.1-2" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2ubuntu4", "version": "1.22.1-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2144909, 2142893, 2142451, 2037321 ], "changes": [ { "cves": [], "log": [ "", " * d/p/default-enctype-list.patch: do not default to weak encryption", " algorithms (LP: #2144909)", " * d/NEWS: explain weak algorithms are no longer default options", "" ], "package": "krb5", "version": "1.22.1-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144909 ], "author": "Athos Ribeiro ", "date": "Thu, 19 Mar 2026 10:48:16 -0300" }, { "cves": [], "log": [ "", " * d/p/fix-strchr-conformance-to-c23.patch: Fix FTBFS with glibc2.43", " (LP: #2142893)", "" ], "package": "krb5", "version": "1.22.1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142893 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 04 Mar 2026 10:15:11 -0300" }, { "cves": [], "log": [ "", " * Fix FTBFS test t_otp.py (LP: #2142451):", " - d/p/set-fork-start-method-t-otpy.patch: Python 3.14 changes the default", " start method of multiprocessing to 'forkserver'. This introduces issues", " in the test t_otp.py that does not use a main block. Set the start", " method to force 'fork' instead.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142451 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 11:02:32 +0100" }, { "cves": [], "log": [ "", " * Add autopkgtest for includedir-ordering (LP: #2037321):", " - d/tests/includedir-ordering: Add new test.", " - d/tests/kinit: Create /etc/krb5.conf.d/ directory if it doesn't exist.", " - d/tests/util: Prepend includedir /etc/krb5.conf.d/ for the configuration", " file created in create_realm.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2037321 ], "author": "Simon Johnsson ", "date": "Thu, 12 Feb 2026 16:15:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "landscape-common", "from_version": { "source_package_name": "landscape-client", "source_package_version": "24.12-0ubuntu5", "version": "24.12-0ubuntu5" }, "to_version": { "source_package_name": "landscape-client", "source_package_version": "26.02.2-0ubuntu1", "version": "26.02.2-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2145021, 2144674, 1754002 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release 26.02.2", " - fix: restore tests for amd64v3 (LP: #2145021)", " - fix: add deterministic sub-process generation for flaky tests", " * d/p/fix-ubuntu-release-upgrader-log.patch: correct string formatting error", "" ], "package": "landscape-client", "version": "26.02.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145021 ], "author": "Joey Mucci ", "date": "Fri, 20 Mar 2026 14:10:13 -0400" }, { "cves": [], "log": [ "", " * New upstream release 26.02.1 (LP: #2144674)", " - d/patches: refresh patches that have not been applied upstream", " - fix-landscape-client-manpage.patch", " - d/patches: remove patches that have been applied upstream", " - 2087852-feat-manage-ubuntu-sources-glob.patch", " - allow-http-proxy-in-tests.patch", " - fix-apt-source-file-management.patch", " - package-reporter-high-cpu.patch", " - unittest-makeSuite-deprecation.patch", " - fix: restore functionality and tests for python 3.14", " - feat: add FDE recovery key manager plugin", " - fix: package changer uses proxy when configured", " - refactor: Revert addition of `--ssl-ca` flag", " - fix: Move WSL config options out of unsaved_options", " - fix: landscape-config reads deprecated ssl_public_key field", " - refactor: clean up bpickle dumps", " - fix: don't explicitly make root owner of the executables", " - refactor: move uaclient integration test out of landscape directory", " - refactor: remove last instance of ssl_public_key", " - build: remove git suffix for packaging", " - fix: example. conf pro management plugin", " - Bug fix: add id for devmode snaps for server indexing", " - feat: add weekly integration testing for uaclient/pro", " - fix: add python3-packaging dependency to landscape-client", " - fix: uaclient wrapper with snap and core devices", " - fix: make improvements to landscape-config --show", " - feat: activity to detach pro", " - feat: activity for attaching pro", " - feat: add --show argument to landscape-config", " - fix: Add deprecation warning for --is-registered in landscape-client", " - refactor: add wrapper for uaclient library calls", " - fix: rename ssl-public-key parameter", " - build: add python3-packaging to build dependencies and fix test cases for build", " - Add setuptools, remove setup and fix paths in Snapcraft.yaml", " - fix: imports for snap/core devices", " - refactor: change ubuntu pro info to use `uaclient.status` instead of subprocess", " - fix: bump codecov upload version and use secret token", " - refactor: do not cast to list when not needed", " - feat: add --script-tempdir configuration", " - fix: use machine_id in registration message schema", " - feat: add machine-id to registration and computer info", " - refactor: cleanup string continuations", " - refactor: remove obsolete user message schemas", " - refactor: remove obsolete register-* message schemas", " - refactor: remove obsolete hardware-inventory message schema", " - refactor: remove obsolete computer-uptime message schema", " - refactor: remove oboslete client-uptime message schema", " - refactor: delete unused eucalyptus message schema", " - feat: unknown hashes per request is configurable", " - refactor: delete `landscape/lib/compat.py`", " - feat: log pending message count", " - feat: configurably exclude package sources", " - fix: invalid plugins do not crash landscape-sysinfo (LP: #1754002)", " - fix: .list and .sources files are restored when a repository profile is disassociated from a noble (or later) instance", " - fix: usgmanager should accept only the profile or the tailoring file", " - fix: ensure usgmanager plugin runs in deferred", " - feat: add usgmanager plugin to example.conf", " - fix: add run-id and operation-id fields to usg-audit message", " - fix: make config tests insensitive to http(s) proxy settings", " - fix: remove deprecated use of `unittest.makeSuite` to get tests passing on >=py312", " - feat: add optional --authenticated-attach-code to configuration parameters", " - feat: add authenticated attach code to registration message", " - refactor: stop using twisted.python.compat", " - feat: add support for .sources when applying repository profiles", " - fix: log rotation in snap", " - fix: removed snapd-control-managed from snapcraft.yaml apps stanza", " - fix: lint failure E226 - missing arithmetic whitespace", "" ], "package": "landscape-client", "version": "26.02.1-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144674, 1754002 ], "author": "Joey Mucci ", "date": "Thu, 05 Feb 2026 17:38:31 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1:armhf", "from_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~alpha1-0ubuntu11", "version": "5.0.0~alpha1-0ubuntu11" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~beta1-0ubuntu5", "version": "5.0.0~beta1-0ubuntu5" }, "cves": [ { "cve": "CVE-2025-9615", "url": "https://ubuntu.com/security/CVE-2025-9615", "cve_description": "A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.", "cve_priority": "medium", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144679, 2137395, 2143810, 2142788, 2142885 ], "changes": [ { "cves": [], "log": [ "", " * Add patches for network iface mediation in the parser (LP: #2144679):", " - d/p/u/0001-parser-add-more-reserved-mediation-classes.patch", " - d/p/u/0002-parser-convert-conditionals-operators-to-an-enum.patch", " - d/p/u/0003-parser-add-override-assign-to-cond-list-elements.patch", " - d/p/u/0004-parser-support-network-interface-conditional.patch", " - d/p/u/0005-tests-add-network-interface-tests.patch", " * debian/control: add socat test dependency to Build-Depends", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144679 ], "author": "Ryan Lee ", "date": "Thu, 19 Mar 2026 08:46:13 -0700" }, { "cves": [], "log": [ "", " * Add patch from upstream to fix transmission (LP: #2137395)", " - d/p/u/transmission-common-fixes-for-lp-2137395.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137395 ], "author": "Alex Murray ", "date": "Wed, 18 Mar 2026 23:02:41 +1030" }, { "cves": [ { "cve": "CVE-2025-9615", "url": "https://ubuntu.com/security/CVE-2025-9615", "cve_description": "A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.", "cve_priority": "medium", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "log": [ "", " * Add patch to fix openvpn loading of NetworkManager copied certificates", " after CVE-2025-9615 fix (LP: #2143810):", " - d/p/u/openvpn_networkmanager_rundir.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143810 ], "author": "Ryan Lee ", "date": "Wed, 11 Mar 2026 11:33:40 -0700" }, { "cves": [], "log": [ "", " * Add patch to fix libapparmor Python aa_get_lsm_iface binding", " (LP: #2142788):", " - d/p/u/libapparmor-move-aa_get_lsm_iface-decl-in-libapparmor.patch", " * Add patches to fix parser tempfile umask (LP: #2142885):", " - d/p/u/0001-parser-set-umask-before-creating-temp-file.patch", " - d/p/u/0002-parser-restrict-umask-to-allow-only-user-permissions.patch", " * Add test for libapparmor feature prefix parse issue (LP 2105986):", " - d/p/u/libapparmor-add-test-for-libapparmor-features-prefix.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142788, 2142885 ], "author": "Ryan Lee ", "date": "Fri, 27 Feb 2026 09:48:42 -0800" }, { "cves": [], "log": [ "", " [ Alessandro Astone ]", " * d/tests: Update libreoffice profile names", "", " [ Ryan Lee ]", " * New upstream release.", " * debian/control: add libzstd-dev to list of dependencies", " * debian/libapparmor1.symbols: Add new libapparmor symbols to file", " * Refresh patches to apply to new release:", " - d/p/u/communitheme-snap-support.patch", " - d/p/u/profiles-grant-access-to-systemd-resolved.patch", " * Drop patches that were superseded upstream:", " - d/p/u/parser-fix-pam_apparmor-regression-test-failures.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ryan Lee ", "date": "Thu, 19 Feb 2026 09:57:16 -0800" }, { "cves": [], "log": [ "", " * New upstream release.", " * Update patches to apply to new release:", " - d/p/d/Enable-writing-cache.patch", " - d/p/u/Move-the-bwrap-userns-restrict-profile-out-of-extras.patch", " - d/p/u/delete-the-busybox-and-nautilus-profiles.patch", " - d/p/u/profiles_remove_hwctl.patch", " - d/p/u/profiles_disable_free.patch", " - d/p/u/profiles_disable_curl.patch", " - d/p/u/profiles_add_more_consoles_workaround.patch", " - d/p/u/profiles-use-coreutils-tunable.patch", " * Refresh patches to apply to new release:", " - d/p/u/parser-fix-pam_apparmor-regression-test-failures.patch", " - d/p/u/aa-notify-userns-filtering.patch", " - d/p/u/aa-notify-fallback-to-ev-comm-when-ev-execpath.patch", " * Drop patches that were applied upstream:", " - d/p/u/userns-runtime-disable.patch", " - d/p/u/userns-runtime-disable-fix-for-6_14.patch", " - d/p/u/parser-fix-variable-expansion.patch", " - d/p/u/nss-systemd-grant-access-to-gdm-user-db.patch", " - d/p/u/parser-fix-misc-leaks.patch", " - d/p/u/parser-fix-more-parser-leaks.patch", " - d/p/u/curl_read_tmp.patch", " - d/p/u/curl_access_snapd_socket.patch", " - d/p/u/unix_chkpwd_authd.patch", " - d/p/u/profiles_dig_add_abstractions_consoles.patch", " - d/p/u/profiles_fix_systemd_detect_virt_new_denials.patch", " - d/p/u/profiles_expand_libnuma_abstraction", " - d/p/u/regression_disconnected_mount_complain_danglings.patch", " - d/p/u/regression_disconnected_mount_complain_fix_6_15.patch", " - d/p/u/utils_test_aa_show_usage_handle_disabled.patch", " - d/p/u/profiles-add-rules-for-pam-extrausers.so-to-unix-chkpwd.patch", " - d/p/u/parser_libapparmor_re_fix_inconsistent_build.patch", " - d/p/u/parser_libapparmor_re_fix_implied_m.patch", " - d/p/u/0001-tests-regression-Update-socketpair-test-for-upstream.patch", " - d/p/u/0002-tests-regression-update-socketpair-tests-to-detect-d.patch", " - d/p/u/0003-tests-regression-update-socketpair-tests-to-detect-d.patch", " - d/p/u/0004-tests-regressions-Improve-output-of-require_any_of_k.patch", " - d/p/u/0005-tests-regression-update-network-requirements-for-v9.patch", " - d/p/u/0006-regression-tests-update-logic-to-support-v9-af_unix-.patch", " - d/p/u/0007-tests-regressions-Fix-socket-pair-for-v7-semantics.patch", " - d/p/u/parser-fix-unix-addresses-with-alternations.patch", " - d/p/u/profiles-add-rules-to-fix-flatpaks-with-fuse3-17.patch", " - d/p/u/profiles-grant-netrc-read-access-to-tnftp.patch", " - d/p/u/profiles-systemd-detect-virt-handle-device-tree-folder.patch", " - d/p/u/lsblk_read_access_azure_acpi.patch", " - d/p/u/regression-fix-for-rust-coreutils.patch", " - d/p/u/utils-remove-global-_-from-aa-notify-main.patch", " - d/p/u/0001-libapparmor-change-setup.py-to-remove-the-need-for-_.patch", " - d/p/u/0002-libapparmor-remove-__init__.py-not-needed-for-SWIG-P.patch", " - d/p/u/utils-test-use-sys.executable-when-launching-aa-show.patch", " * d/apparmor.install, d/not-installed: account for new location", " of init scripts", " * d/rules:", " - account for new locatin of init scripts", " - specify LD_LIBRARY_PATH during testing to use locally built", " libapparmor for libapparmor.so", " * d/watch: point towards GitLab tarballs instead and update regexes", " * debian/apparmor-profiles.install: account for remmina profile being", " moved to extra-profiles upstream", "" ], "package": "apparmor", "version": "5.0.0~alpha6-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ryan Lee ", "date": "Mon, 09 Feb 2026 11:15:02 -0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "libatomic1:armhf", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260217-1ubuntu2", "version": "16-20260217-1ubuntu2" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260315-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:22:54 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260315).", " * Pass configure flags for libgcobol cross builds.", " * For backports, require binutils (>= 2.40) on riscv64.", " * libga68-dev: Depend on libgc-dev. Closes: #1130580.", " * Fix PR ada/107475 also for armhf and s390x.", " * Disable dwz on alpha, see PR dwz/33990.", " * Refresh patches.", " * Update libgcc-s, libcc1, lib*asan, liblsan, libtsan and libgcobol", " symbol files.", "" ], "package": "gcc-16", "version": "16-20260315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:17:23 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * On riscv64, default again to RVA23.", " * Disable bootstrap build on riscv64 entirely for a quick build.", "" ], "package": "gcc-16", "version": "16-20260308-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:49:05 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * Refresh cross-installation-location patch.", "" ], "package": "gcc-16", "version": "16-20260308-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:34:40 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260307).", " * libsanitizer/TSan: Fix determining static TLS blocks. Addresses: #1126312.", " * Refresh patches.", "" ], "package": "gcc-16", "version": "16-20260307-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Mar 2026 09:07:18 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226).", " * On riscv64, default again to RVA23.", "" ], "package": "gcc-16", "version": "16-20260226-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:09:01 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226). Also closes: #1128648.", " * Disable again profiled+lto build on armhf.", " * Fix s390x backport builds.", " * Disable dwz on riscv64, see https://sourceware.org/bugzilla/show_bug.cgi?id=33929.", " * Disable profiled+lto build. See https://gcc.gnu.org/PR124238.", "" ], "package": "gcc-16", "version": "16-20260226-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:00:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libattr1:armhf", "from_version": { "source_package_name": "attr", "source_package_version": "1:2.5.2-3build2", "version": "1:2.5.2-3build2" }, "to_version": { "source_package_name": "attr", "source_package_version": "1:2.5.2-4", "version": "1:2.5.2-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove «Rules-Requires-Root: no», which is the current default.", " * Remove «Priority: optional», which is the current default.", " * Switch to debian/watch version 5.", " * Add spaces around make assignment operators to distinguish from shell ones.", " * Switch to Standards-Version 4.7.3 (no changes needed).", "" ], "package": "attr", "version": "1:2.5.2-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sun, 15 Feb 2026 14:26:01 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libaudit-common", "from_version": { "source_package_name": "audit", "source_package_version": "1:4.1.2-1", "version": "1:4.1.2-1" }, "to_version": { "source_package_name": "audit", "source_package_version": "1:4.1.2-1build1", "version": "1:4.1.2-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "audit", "version": "1:4.1.2-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:17:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libaudit1:armhf", "from_version": { "source_package_name": "audit", "source_package_version": "1:4.1.2-1", "version": "1:4.1.2-1" }, "to_version": { "source_package_name": "audit", "source_package_version": "1:4.1.2-1build1", "version": "1:4.1.2-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "audit", "version": "1:4.1.2-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:17:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libblkid1:armhf", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libbpf1:armhf", "from_version": { "source_package_name": "libbpf", "source_package_version": "1.6.2-1build1", "version": "1:1.6.2-1build1" }, "to_version": { "source_package_name": "libbpf", "source_package_version": "1.6.3-1ubuntu1", "version": "1:1.6.3-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144319 ], "changes": [ { "cves": [], "log": [ "", " * libbpf: Remove extern declaration of bpf_stream_vprintk()", " (LP: #2144319)", "" ], "package": "libbpf", "version": "1.6.3-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144319 ], "author": "Nick Rosbrook ", "date": "Mon, 16 Mar 2026 09:58:10 -0400" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "libbpf", "version": "1.6.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sudip Mukherjee ", "date": "Sat, 14 Mar 2026 12:55:31 +0000" }, { "cves": [], "log": [ "", " * New upstream version 1.6.3", " * Update Standards-Version to 4.7.3", "" ], "package": "libbpf", "version": "1.6.3-1~exp1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Sudip Mukherjee ", "date": "Mon, 23 Feb 2026 20:05:40 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libbpfcc:armhf", "from_version": { "source_package_name": "bpfcc", "source_package_version": "0.35.0+ds-1ubuntu1", "version": "0.35.0+ds-1ubuntu1" }, "to_version": { "source_package_name": "bpfcc", "source_package_version": "0.35.0+ds-1ubuntu2", "version": "0.35.0+ds-1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to build with LLVM 21 on amd64v3.", "" ], "package": "bpfcc", "version": "0.35.0+ds-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 16 Mar 2026 12:30:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libbrotli1:armhf", "from_version": { "source_package_name": "brotli", "source_package_version": "1.2.0-3", "version": "1.2.0-3" }, "to_version": { "source_package_name": "brotli", "source_package_version": "1.2.0-3build1", "version": "1.2.0-3build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "brotli", "version": "1.2.0-3build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:01:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.43-2ubuntu1", "version": "2.43-2ubuntu1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian experimental (LP: #2143767)", " Delta dropped:", " - Don't strip ld.so on armhf. LP #1927192.", " - Enable systemtap support, which is currently disabled in Debian.", " - Fix gconv regression on i386", " - Stop building with --enable-sframe for now.", " - s390x: drop the 32-bit multi-arch variant (LP #2067350)", " * Fixed upstream:", " - NPTL: Optimize trylock for high cache contention workloads (LP: #2138256) ", " * Update from upstream:", " - Don't include directly", " - po: Incorporate translatins (nl updated, ar new)", " * d/watch: modernize watchfile delta to v5", " * Fix broken ldconfig, static-pie binary on riscv64", " Revert RVV memset variant patch. (LP: #2142067)", "" ], "package": "glibc", "version": "2.43-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "author": "Simon Poirier ", "date": "Tue, 17 Feb 2026 16:52:35 -0500" }, { "cves": [], "log": [ "", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "" ], "package": "glibc", "version": "2.43-2", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Samuel Thibault ", "date": "Fri, 30 Jan 2026 01:41:14 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream release:", " - debian/copyright: update following upstream changes.", " - debian/symbols.wildcards: add 2.43.", " - debian/patches/git-updates.diff: update from upstream stable branch.", " - debian/patches/hurd-i386/local-enable-ldconfig.diff: rebased.", " - debian/patches/hurd-i386/git-sigreturn-SEGV.diff: upstreamed.", " - debian/patches/hurd-i386/git-rlimit-as.diff: upstreamed.", " - debian/patches/hurd-i386/git-run-iconv-test.sh.diff: upstreamed.", " - debian/patches/hurd-i386/git-elf-ordering.diff: upstreamed.", " - debian/patches/hurd-i386/git-rename.diff: upstreamed.", " - debian/patches/hurd-i386/git-signal-SSE-MMX.diff: upstreamed.", " - debian/patches/hurd-i386/git-sigreturn-xmm.diff: upstreamed.", " - debian/patches/hurd-i386/git-cancel-stack.diff: upstreamed.", " - debian/patches/i386/unsubmitted-quiet-ldconfig.diff: rebased.", " - debian/patches/any/local-asserth-decls.diff: rebased.", " - debian/patches/any/local-tcsetaddr.diff: rebased.", " - debian/patches/any/submitted-nptl-invalid-td.patch: drop, obsolete.", " - debian/patches/any/git-ldd-set-u.diff: upstreamed.", " - debian/patches/any/git-linux-termios.diff: upstreamed.", " - debian/patches/hurd-i386/submitted-net.diff: rebased.", " - debian/patches/hurd-i386/tg-bits_atomic.h_multiple_threads.diff: drop,", " obsolete.", " - debian/patches/hurd-i386/local-clock_gettime_MONOTONIC.diff: rebased.", " - debian/patches/hurd-i386/local-fix-nss.diff: rebased.", " - debian/libc0.3.symbols.hurd-i386: update following the move of symbols", " from libpthread.so.0.3 to libc.so.0.3.", "" ], "package": "glibc", "version": "2.43-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 28 Jan 2026 22:35:15 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: ignore new tst-pie-bss-static issue on", " hurd for now.", "", " [ Aurelien Jarno ]", " * debian/control: regenerate. Closes: #1127589.", "" ], "package": "glibc", "version": "2.42-13", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Tue, 10 Feb 2026 18:54:23 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-fork-gdb.diff: Fix gdb after fork.", " * debian/patches/hurd-i386/local-execstack.diff: Drop, fixed in binutils.", " * debian/patches/hurd-i386/git-sig-sig-mmx-fix.diff: Fix mmx corruption on", " double-signal.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Drop, now fixed.", " * debian/patches/hurd-i386/git-cancel-sig.diff: Fix cancellation points in", " signals during cancellation points.", " * debian/testsuite-xfail-debian.mk: Update accordingly.", "", " [ Aurelien Jarno ]", " * debian/control.in/*, debian/glibc-source.filelist,", " debian/libc6-s390.symbols.s390x, debian/rules.d/control.mk,", " debian/sysdeps/s390x.mk: stop building a 31-bit multilib flavour on s390x.", "" ], "package": "glibc", "version": "2.42-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 07 Feb 2026 22:23:34 +0100" }, { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/local-execstack.diff: Work around missing execstack", " on libc.so.", "", " [ Aurelien Jarno ]", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix bug in wordexp, which could return uninitialized memory when using", " WRDE_REUSE together with WRDE_APPEND (CVE-2025-15281). Closes: #1126266.", " - Switch currency symbol for the bg_BG locale to euro.", "" ], "package": "glibc", "version": "2.42-11", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 26 Jan 2026 23:40:35 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/sysdeps/{amd64,arm64,i386,x32}.mk: disable SFrame support. Closes:", " #1125944.", " * debian/control.in/{main,libc}: drop versioned Build-Depends and Breaks on", " binutils 2.45, now pointless.", "" ], "package": "glibc", "version": "2.42-10", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 19 Jan 2026 20:12:24 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-cancel-stack.diff: Fix crash on cancellation", " with unaligned stack.", "", " [ Aurelien Jarno ]", " * debian/rules.d/debhelper.mk: do not strip ld.so on armhf. Closes:", " #1125796.", "" ], "package": "glibc", "version": "2.42-9", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 18 Jan 2026 11:52:41 +0100" }, { "cves": [ { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: Avoid running tst-writev on hurd-amd64.", " * debian/patches/hurd-i386/git-sigreturn-xmm.diff: Fix sigreturn using xmm", " registers in the signal contention case.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Try to re-introduce", " mmx clobber work-around.", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "", " [ Aurelien Jarno ]", " * debian/rules.d/build.mk: do not write BUILD_CXX to configparms, it's", " unused.", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix and integer overflow in _int_memalign leading to heap corruption", " (CVE-2026-0861). Closes: #1125678.", " - Fix stack contents leak in getnetbyaddr (CVE-2026-0915). Closes:", " #1125748.", " - Optimize trylock for high cache contention workloads.", "", " [ Helmut Grohne ]", " * debian/control.in/main: avoid g++ dependency in nocheck builds.", " * debian/control.in/main, rules, rules.d/build.mk: don't build nscd in", " stage2.", "" ], "package": "glibc", "version": "2.42-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 16 Jan 2026 21:50:10 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/control.in/libc, debian/rules.d/debhelper.mk: drop libcrypt-dev", " dependency from libc6-dev. Thanks to Helmut Grohne for proposing that,", " doing an archive rebuild and filling the bug reports.", " * debian/control.in/main, debian/sysdeps/linux.mk: enable SystemTap static", " probes.", " * debian/debhelper.in/libc-dev.NEWS: add a NEWS entry about the removal of", " the obsolete termio interface. Closes: #1124068.", " * debian/rules.d/debhelper.mk: ensure that linker scripts work even when", " /usr is unmerged. Closes: #1120508", " * debian/debhelper.in/libc-dev{,-alt}.lintian-overrides,", " source/lintian-overrides, rules.d/debhelper.mk, salsa-ci.yml: drop", " unpack-message-for-{orig,source} overrides, fixed in lintian 2.128.0.", " * debian/control.in/main: drop Rules-Requires-Root: no, this is now the", " default.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: remove", " the workaround for GLIBC_ABI_GNU_TLS. Closes: #1122038.", " * debian/control.in/{libc,i386}: ensure that libdpkg-perl is fixed wrt", " GLIBC_ABI_GNU_TLS.", "" ], "package": "glibc", "version": "2.42-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 04 Jan 2026 10:07:24 +0100" }, { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * debian/control: add new lines when concatenating files", " * Update debian/watch to version 5", "", " [ Aurelien Jarno ]", " * debian/symbols.wildcards: adjust ABI flags version:", " - Fix corresponding to GLIBC_ABI_DT_X86_64_PLT was first corrected in 2.36", " - Fix corresponding to GLIBC_ABI_GNU2_TLS as first corrected in 2.40", " * debian/control.in/libc, debian/control.in/main: remove breaks, conflicts", " and (build-)depends already satisfied in bookworm.", " * debian/control.in/amd64, debian/control.in/libc: add a Breaks against", " binutils (<< 2.45) for builds with sframe support enabled.", " * debian/control.in/main, debian/rules: build with GCC 15.", " * debian/patches/git-updates.diff: update from upstream stable branch.", "", " [ Baptiste Jammet ]", " * Update French debconf translation. Closes: #1118006.", "" ], "package": "glibc", "version": "2.42-6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 12 Dec 2025 18:37:16 +0100" }, { "cves": [], "log": [ "", " [ Martin Bagge ]", " * Update Swedish debconf translation. Closes: #1121991.", "", " [ Aurelien Jarno ]", " * debian/control.in/main: change libc-gconv-modules-extra to Multi-Arch:", " same as it contains libraries.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: force", " the minimum libc6 version to >= 2.42, to ensure GLIBC_ABI_GNU_TLS is", " available, given symbols in .gnu.version_r section are currently not", " handled by dpkg-shlibdeps.", "" ], "package": "glibc", "version": "2.42-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 06 Dec 2025 23:02:46 +0100" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "glibc", "version": "2.42-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 03 Dec 2025 23:03:48 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/patches/any/git-ldd-set-u.diff: backport fix to allow using", " set -u on ldd. Closes: #1114824.", " * debian/patches/git-updates.diff: update from upstream stable branch.", " * debian/patches/any/git-linux-termios.diff: backport fix for termios", " regression with non-standard baud rate.", "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-sigreturn-SEGV.diff: catch SIGSEGV on", " returning from signal handler.", " * debian/patches/hurd-i386/git-rlimit-as.diff: Support RLIMIT_AS.", " * debian/patches/hurd-i386/local-aux-pagesz.diff: Fix getauxval(AT_PAGESZ).", " * debian/patches/hurd-i386/git-run-iconv-test.sh.diff: Fix running iconv", " tests.", " * debian/patches/hurd-i386/git-elf-ordering.diff: Fix running ELF ordering", " tests.", " * debian/patches/hurd-i386/git-rename.diff: Fix renaming directories with", " trailing slahes.", " * debian/patches/hurd-i386/git-signal-SSE-MMX.diff: Fix signals thrashing", " SSE&MMX state.", "" ], "package": "glibc", "version": "2.42-3", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 29 Nov 2025 19:36:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-gconv-modules-extra:armhf", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.43-2ubuntu1", "version": "2.43-2ubuntu1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian experimental (LP: #2143767)", " Delta dropped:", " - Don't strip ld.so on armhf. LP #1927192.", " - Enable systemtap support, which is currently disabled in Debian.", " - Fix gconv regression on i386", " - Stop building with --enable-sframe for now.", " - s390x: drop the 32-bit multi-arch variant (LP #2067350)", " * Fixed upstream:", " - NPTL: Optimize trylock for high cache contention workloads (LP: #2138256) ", " * Update from upstream:", " - Don't include directly", " - po: Incorporate translatins (nl updated, ar new)", " * d/watch: modernize watchfile delta to v5", " * Fix broken ldconfig, static-pie binary on riscv64", " Revert RVV memset variant patch. (LP: #2142067)", "" ], "package": "glibc", "version": "2.43-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "author": "Simon Poirier ", "date": "Tue, 17 Feb 2026 16:52:35 -0500" }, { "cves": [], "log": [ "", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "" ], "package": "glibc", "version": "2.43-2", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Samuel Thibault ", "date": "Fri, 30 Jan 2026 01:41:14 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream release:", " - debian/copyright: update following upstream changes.", " - debian/symbols.wildcards: add 2.43.", " - debian/patches/git-updates.diff: update from upstream stable branch.", " - debian/patches/hurd-i386/local-enable-ldconfig.diff: rebased.", " - debian/patches/hurd-i386/git-sigreturn-SEGV.diff: upstreamed.", " - debian/patches/hurd-i386/git-rlimit-as.diff: upstreamed.", " - debian/patches/hurd-i386/git-run-iconv-test.sh.diff: upstreamed.", " - debian/patches/hurd-i386/git-elf-ordering.diff: upstreamed.", " - debian/patches/hurd-i386/git-rename.diff: upstreamed.", " - debian/patches/hurd-i386/git-signal-SSE-MMX.diff: upstreamed.", " - debian/patches/hurd-i386/git-sigreturn-xmm.diff: upstreamed.", " - debian/patches/hurd-i386/git-cancel-stack.diff: upstreamed.", " - debian/patches/i386/unsubmitted-quiet-ldconfig.diff: rebased.", " - debian/patches/any/local-asserth-decls.diff: rebased.", " - debian/patches/any/local-tcsetaddr.diff: rebased.", " - debian/patches/any/submitted-nptl-invalid-td.patch: drop, obsolete.", " - debian/patches/any/git-ldd-set-u.diff: upstreamed.", " - debian/patches/any/git-linux-termios.diff: upstreamed.", " - debian/patches/hurd-i386/submitted-net.diff: rebased.", " - debian/patches/hurd-i386/tg-bits_atomic.h_multiple_threads.diff: drop,", " obsolete.", " - debian/patches/hurd-i386/local-clock_gettime_MONOTONIC.diff: rebased.", " - debian/patches/hurd-i386/local-fix-nss.diff: rebased.", " - debian/libc0.3.symbols.hurd-i386: update following the move of symbols", " from libpthread.so.0.3 to libc.so.0.3.", "" ], "package": "glibc", "version": "2.43-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 28 Jan 2026 22:35:15 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: ignore new tst-pie-bss-static issue on", " hurd for now.", "", " [ Aurelien Jarno ]", " * debian/control: regenerate. Closes: #1127589.", "" ], "package": "glibc", "version": "2.42-13", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Tue, 10 Feb 2026 18:54:23 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-fork-gdb.diff: Fix gdb after fork.", " * debian/patches/hurd-i386/local-execstack.diff: Drop, fixed in binutils.", " * debian/patches/hurd-i386/git-sig-sig-mmx-fix.diff: Fix mmx corruption on", " double-signal.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Drop, now fixed.", " * debian/patches/hurd-i386/git-cancel-sig.diff: Fix cancellation points in", " signals during cancellation points.", " * debian/testsuite-xfail-debian.mk: Update accordingly.", "", " [ Aurelien Jarno ]", " * debian/control.in/*, debian/glibc-source.filelist,", " debian/libc6-s390.symbols.s390x, debian/rules.d/control.mk,", " debian/sysdeps/s390x.mk: stop building a 31-bit multilib flavour on s390x.", "" ], "package": "glibc", "version": "2.42-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 07 Feb 2026 22:23:34 +0100" }, { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/local-execstack.diff: Work around missing execstack", " on libc.so.", "", " [ Aurelien Jarno ]", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix bug in wordexp, which could return uninitialized memory when using", " WRDE_REUSE together with WRDE_APPEND (CVE-2025-15281). Closes: #1126266.", " - Switch currency symbol for the bg_BG locale to euro.", "" ], "package": "glibc", "version": "2.42-11", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 26 Jan 2026 23:40:35 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/sysdeps/{amd64,arm64,i386,x32}.mk: disable SFrame support. Closes:", " #1125944.", " * debian/control.in/{main,libc}: drop versioned Build-Depends and Breaks on", " binutils 2.45, now pointless.", "" ], "package": "glibc", "version": "2.42-10", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 19 Jan 2026 20:12:24 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-cancel-stack.diff: Fix crash on cancellation", " with unaligned stack.", "", " [ Aurelien Jarno ]", " * debian/rules.d/debhelper.mk: do not strip ld.so on armhf. Closes:", " #1125796.", "" ], "package": "glibc", "version": "2.42-9", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 18 Jan 2026 11:52:41 +0100" }, { "cves": [ { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: Avoid running tst-writev on hurd-amd64.", " * debian/patches/hurd-i386/git-sigreturn-xmm.diff: Fix sigreturn using xmm", " registers in the signal contention case.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Try to re-introduce", " mmx clobber work-around.", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "", " [ Aurelien Jarno ]", " * debian/rules.d/build.mk: do not write BUILD_CXX to configparms, it's", " unused.", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix and integer overflow in _int_memalign leading to heap corruption", " (CVE-2026-0861). Closes: #1125678.", " - Fix stack contents leak in getnetbyaddr (CVE-2026-0915). Closes:", " #1125748.", " - Optimize trylock for high cache contention workloads.", "", " [ Helmut Grohne ]", " * debian/control.in/main: avoid g++ dependency in nocheck builds.", " * debian/control.in/main, rules, rules.d/build.mk: don't build nscd in", " stage2.", "" ], "package": "glibc", "version": "2.42-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 16 Jan 2026 21:50:10 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/control.in/libc, debian/rules.d/debhelper.mk: drop libcrypt-dev", " dependency from libc6-dev. Thanks to Helmut Grohne for proposing that,", " doing an archive rebuild and filling the bug reports.", " * debian/control.in/main, debian/sysdeps/linux.mk: enable SystemTap static", " probes.", " * debian/debhelper.in/libc-dev.NEWS: add a NEWS entry about the removal of", " the obsolete termio interface. Closes: #1124068.", " * debian/rules.d/debhelper.mk: ensure that linker scripts work even when", " /usr is unmerged. Closes: #1120508", " * debian/debhelper.in/libc-dev{,-alt}.lintian-overrides,", " source/lintian-overrides, rules.d/debhelper.mk, salsa-ci.yml: drop", " unpack-message-for-{orig,source} overrides, fixed in lintian 2.128.0.", " * debian/control.in/main: drop Rules-Requires-Root: no, this is now the", " default.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: remove", " the workaround for GLIBC_ABI_GNU_TLS. Closes: #1122038.", " * debian/control.in/{libc,i386}: ensure that libdpkg-perl is fixed wrt", " GLIBC_ABI_GNU_TLS.", "" ], "package": "glibc", "version": "2.42-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 04 Jan 2026 10:07:24 +0100" }, { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * debian/control: add new lines when concatenating files", " * Update debian/watch to version 5", "", " [ Aurelien Jarno ]", " * debian/symbols.wildcards: adjust ABI flags version:", " - Fix corresponding to GLIBC_ABI_DT_X86_64_PLT was first corrected in 2.36", " - Fix corresponding to GLIBC_ABI_GNU2_TLS as first corrected in 2.40", " * debian/control.in/libc, debian/control.in/main: remove breaks, conflicts", " and (build-)depends already satisfied in bookworm.", " * debian/control.in/amd64, debian/control.in/libc: add a Breaks against", " binutils (<< 2.45) for builds with sframe support enabled.", " * debian/control.in/main, debian/rules: build with GCC 15.", " * debian/patches/git-updates.diff: update from upstream stable branch.", "", " [ Baptiste Jammet ]", " * Update French debconf translation. Closes: #1118006.", "" ], "package": "glibc", "version": "2.42-6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 12 Dec 2025 18:37:16 +0100" }, { "cves": [], "log": [ "", " [ Martin Bagge ]", " * Update Swedish debconf translation. Closes: #1121991.", "", " [ Aurelien Jarno ]", " * debian/control.in/main: change libc-gconv-modules-extra to Multi-Arch:", " same as it contains libraries.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: force", " the minimum libc6 version to >= 2.42, to ensure GLIBC_ABI_GNU_TLS is", " available, given symbols in .gnu.version_r section are currently not", " handled by dpkg-shlibdeps.", "" ], "package": "glibc", "version": "2.42-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 06 Dec 2025 23:02:46 +0100" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "glibc", "version": "2.42-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 03 Dec 2025 23:03:48 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/patches/any/git-ldd-set-u.diff: backport fix to allow using", " set -u on ldd. Closes: #1114824.", " * debian/patches/git-updates.diff: update from upstream stable branch.", " * debian/patches/any/git-linux-termios.diff: backport fix for termios", " regression with non-standard baud rate.", "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-sigreturn-SEGV.diff: catch SIGSEGV on", " returning from signal handler.", " * debian/patches/hurd-i386/git-rlimit-as.diff: Support RLIMIT_AS.", " * debian/patches/hurd-i386/local-aux-pagesz.diff: Fix getauxval(AT_PAGESZ).", " * debian/patches/hurd-i386/git-run-iconv-test.sh.diff: Fix running iconv", " tests.", " * debian/patches/hurd-i386/git-elf-ordering.diff: Fix running ELF ordering", " tests.", " * debian/patches/hurd-i386/git-rename.diff: Fix renaming directories with", " trailing slahes.", " * debian/patches/hurd-i386/git-signal-SSE-MMX.diff: Fix signals thrashing", " SSE&MMX state.", "" ], "package": "glibc", "version": "2.42-3", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 29 Nov 2025 19:36:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6:armhf", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.43-2ubuntu1", "version": "2.43-2ubuntu1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian experimental (LP: #2143767)", " Delta dropped:", " - Don't strip ld.so on armhf. LP #1927192.", " - Enable systemtap support, which is currently disabled in Debian.", " - Fix gconv regression on i386", " - Stop building with --enable-sframe for now.", " - s390x: drop the 32-bit multi-arch variant (LP #2067350)", " * Fixed upstream:", " - NPTL: Optimize trylock for high cache contention workloads (LP: #2138256) ", " * Update from upstream:", " - Don't include directly", " - po: Incorporate translatins (nl updated, ar new)", " * d/watch: modernize watchfile delta to v5", " * Fix broken ldconfig, static-pie binary on riscv64", " Revert RVV memset variant patch. (LP: #2142067)", "" ], "package": "glibc", "version": "2.43-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "author": "Simon Poirier ", "date": "Tue, 17 Feb 2026 16:52:35 -0500" }, { "cves": [], "log": [ "", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "" ], "package": "glibc", "version": "2.43-2", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Samuel Thibault ", "date": "Fri, 30 Jan 2026 01:41:14 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream release:", " - debian/copyright: update following upstream changes.", " - debian/symbols.wildcards: add 2.43.", " - debian/patches/git-updates.diff: update from upstream stable branch.", " - debian/patches/hurd-i386/local-enable-ldconfig.diff: rebased.", " - debian/patches/hurd-i386/git-sigreturn-SEGV.diff: upstreamed.", " - debian/patches/hurd-i386/git-rlimit-as.diff: upstreamed.", " - debian/patches/hurd-i386/git-run-iconv-test.sh.diff: upstreamed.", " - debian/patches/hurd-i386/git-elf-ordering.diff: upstreamed.", " - debian/patches/hurd-i386/git-rename.diff: upstreamed.", " - debian/patches/hurd-i386/git-signal-SSE-MMX.diff: upstreamed.", " - debian/patches/hurd-i386/git-sigreturn-xmm.diff: upstreamed.", " - debian/patches/hurd-i386/git-cancel-stack.diff: upstreamed.", " - debian/patches/i386/unsubmitted-quiet-ldconfig.diff: rebased.", " - debian/patches/any/local-asserth-decls.diff: rebased.", " - debian/patches/any/local-tcsetaddr.diff: rebased.", " - debian/patches/any/submitted-nptl-invalid-td.patch: drop, obsolete.", " - debian/patches/any/git-ldd-set-u.diff: upstreamed.", " - debian/patches/any/git-linux-termios.diff: upstreamed.", " - debian/patches/hurd-i386/submitted-net.diff: rebased.", " - debian/patches/hurd-i386/tg-bits_atomic.h_multiple_threads.diff: drop,", " obsolete.", " - debian/patches/hurd-i386/local-clock_gettime_MONOTONIC.diff: rebased.", " - debian/patches/hurd-i386/local-fix-nss.diff: rebased.", " - debian/libc0.3.symbols.hurd-i386: update following the move of symbols", " from libpthread.so.0.3 to libc.so.0.3.", "" ], "package": "glibc", "version": "2.43-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 28 Jan 2026 22:35:15 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: ignore new tst-pie-bss-static issue on", " hurd for now.", "", " [ Aurelien Jarno ]", " * debian/control: regenerate. Closes: #1127589.", "" ], "package": "glibc", "version": "2.42-13", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Tue, 10 Feb 2026 18:54:23 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-fork-gdb.diff: Fix gdb after fork.", " * debian/patches/hurd-i386/local-execstack.diff: Drop, fixed in binutils.", " * debian/patches/hurd-i386/git-sig-sig-mmx-fix.diff: Fix mmx corruption on", " double-signal.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Drop, now fixed.", " * debian/patches/hurd-i386/git-cancel-sig.diff: Fix cancellation points in", " signals during cancellation points.", " * debian/testsuite-xfail-debian.mk: Update accordingly.", "", " [ Aurelien Jarno ]", " * debian/control.in/*, debian/glibc-source.filelist,", " debian/libc6-s390.symbols.s390x, debian/rules.d/control.mk,", " debian/sysdeps/s390x.mk: stop building a 31-bit multilib flavour on s390x.", "" ], "package": "glibc", "version": "2.42-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 07 Feb 2026 22:23:34 +0100" }, { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/local-execstack.diff: Work around missing execstack", " on libc.so.", "", " [ Aurelien Jarno ]", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix bug in wordexp, which could return uninitialized memory when using", " WRDE_REUSE together with WRDE_APPEND (CVE-2025-15281). Closes: #1126266.", " - Switch currency symbol for the bg_BG locale to euro.", "" ], "package": "glibc", "version": "2.42-11", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 26 Jan 2026 23:40:35 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/sysdeps/{amd64,arm64,i386,x32}.mk: disable SFrame support. Closes:", " #1125944.", " * debian/control.in/{main,libc}: drop versioned Build-Depends and Breaks on", " binutils 2.45, now pointless.", "" ], "package": "glibc", "version": "2.42-10", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 19 Jan 2026 20:12:24 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-cancel-stack.diff: Fix crash on cancellation", " with unaligned stack.", "", " [ Aurelien Jarno ]", " * debian/rules.d/debhelper.mk: do not strip ld.so on armhf. Closes:", " #1125796.", "" ], "package": "glibc", "version": "2.42-9", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 18 Jan 2026 11:52:41 +0100" }, { "cves": [ { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: Avoid running tst-writev on hurd-amd64.", " * debian/patches/hurd-i386/git-sigreturn-xmm.diff: Fix sigreturn using xmm", " registers in the signal contention case.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Try to re-introduce", " mmx clobber work-around.", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "", " [ Aurelien Jarno ]", " * debian/rules.d/build.mk: do not write BUILD_CXX to configparms, it's", " unused.", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix and integer overflow in _int_memalign leading to heap corruption", " (CVE-2026-0861). Closes: #1125678.", " - Fix stack contents leak in getnetbyaddr (CVE-2026-0915). Closes:", " #1125748.", " - Optimize trylock for high cache contention workloads.", "", " [ Helmut Grohne ]", " * debian/control.in/main: avoid g++ dependency in nocheck builds.", " * debian/control.in/main, rules, rules.d/build.mk: don't build nscd in", " stage2.", "" ], "package": "glibc", "version": "2.42-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 16 Jan 2026 21:50:10 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/control.in/libc, debian/rules.d/debhelper.mk: drop libcrypt-dev", " dependency from libc6-dev. Thanks to Helmut Grohne for proposing that,", " doing an archive rebuild and filling the bug reports.", " * debian/control.in/main, debian/sysdeps/linux.mk: enable SystemTap static", " probes.", " * debian/debhelper.in/libc-dev.NEWS: add a NEWS entry about the removal of", " the obsolete termio interface. Closes: #1124068.", " * debian/rules.d/debhelper.mk: ensure that linker scripts work even when", " /usr is unmerged. Closes: #1120508", " * debian/debhelper.in/libc-dev{,-alt}.lintian-overrides,", " source/lintian-overrides, rules.d/debhelper.mk, salsa-ci.yml: drop", " unpack-message-for-{orig,source} overrides, fixed in lintian 2.128.0.", " * debian/control.in/main: drop Rules-Requires-Root: no, this is now the", " default.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: remove", " the workaround for GLIBC_ABI_GNU_TLS. Closes: #1122038.", " * debian/control.in/{libc,i386}: ensure that libdpkg-perl is fixed wrt", " GLIBC_ABI_GNU_TLS.", "" ], "package": "glibc", "version": "2.42-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 04 Jan 2026 10:07:24 +0100" }, { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * debian/control: add new lines when concatenating files", " * Update debian/watch to version 5", "", " [ Aurelien Jarno ]", " * debian/symbols.wildcards: adjust ABI flags version:", " - Fix corresponding to GLIBC_ABI_DT_X86_64_PLT was first corrected in 2.36", " - Fix corresponding to GLIBC_ABI_GNU2_TLS as first corrected in 2.40", " * debian/control.in/libc, debian/control.in/main: remove breaks, conflicts", " and (build-)depends already satisfied in bookworm.", " * debian/control.in/amd64, debian/control.in/libc: add a Breaks against", " binutils (<< 2.45) for builds with sframe support enabled.", " * debian/control.in/main, debian/rules: build with GCC 15.", " * debian/patches/git-updates.diff: update from upstream stable branch.", "", " [ Baptiste Jammet ]", " * Update French debconf translation. Closes: #1118006.", "" ], "package": "glibc", "version": "2.42-6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 12 Dec 2025 18:37:16 +0100" }, { "cves": [], "log": [ "", " [ Martin Bagge ]", " * Update Swedish debconf translation. Closes: #1121991.", "", " [ Aurelien Jarno ]", " * debian/control.in/main: change libc-gconv-modules-extra to Multi-Arch:", " same as it contains libraries.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: force", " the minimum libc6 version to >= 2.42, to ensure GLIBC_ABI_GNU_TLS is", " available, given symbols in .gnu.version_r section are currently not", " handled by dpkg-shlibdeps.", "" ], "package": "glibc", "version": "2.42-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 06 Dec 2025 23:02:46 +0100" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "glibc", "version": "2.42-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 03 Dec 2025 23:03:48 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/patches/any/git-ldd-set-u.diff: backport fix to allow using", " set -u on ldd. Closes: #1114824.", " * debian/patches/git-updates.diff: update from upstream stable branch.", " * debian/patches/any/git-linux-termios.diff: backport fix for termios", " regression with non-standard baud rate.", "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-sigreturn-SEGV.diff: catch SIGSEGV on", " returning from signal handler.", " * debian/patches/hurd-i386/git-rlimit-as.diff: Support RLIMIT_AS.", " * debian/patches/hurd-i386/local-aux-pagesz.diff: Fix getauxval(AT_PAGESZ).", " * debian/patches/hurd-i386/git-run-iconv-test.sh.diff: Fix running iconv", " tests.", " * debian/patches/hurd-i386/git-elf-ordering.diff: Fix running ELF ordering", " tests.", " * debian/patches/hurd-i386/git-rename.diff: Fix renaming directories with", " trailing slahes.", " * debian/patches/hurd-i386/git-signal-SSE-MMX.diff: Fix signals thrashing", " SSE&MMX state.", "" ], "package": "glibc", "version": "2.42-3", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 29 Nov 2025 19:36:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcap-ng0:armhf", "from_version": { "source_package_name": "libcap-ng", "source_package_version": "0.8.5-4build4", "version": "0.8.5-4build4" }, "to_version": { "source_package_name": "libcap-ng", "source_package_version": "0.8.5-4build5", "version": "0.8.5-4build5" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "libcap-ng", "version": "0.8.5-4build5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:18:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libclang-cpp21", "from_version": { "source_package_name": "llvm-toolchain-21", "source_package_version": "1:21.1.8-1ubuntu1", "version": "1:21.1.8-1ubuntu1" }, "to_version": { "source_package_name": "llvm-toolchain-21", "source_package_version": "1:21.1.8-4ubuntu2", "version": "1:21.1.8-4ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2138890, 2138890, 2138890 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-4ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Feb 2026 21:51:56 +0100" }, { "cves": [], "log": [ "", " [ Matthias Klose ]", " * d/rules: Fix self-referencing macro.", " * Stop building packages now built by LLVM 22.", " * d/rules: Don't use lld for backport build, when not available.", " * d/rules: Add safety check for enablement of the RVA23 baseline.", " * d/rules: Only disable Z3 support for Ubuntu when it is in main.", " * Install a lit binary. Closes: #1122910.", " * llvm-tools: Don't install the lit tests. Closes: #1122909.", "", " [ Sylvestre Ledru ]", " * Fix autopkgtest failure with CMake 4. thanks to Adrian Bunk", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Feb 2026 17:29:38 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", " * Stop building packages now built from LLVM 22.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Feb 2026 11:23:42 +0100" }, { "cves": [], "log": [ "", " [ Matthias Klose ]", " * d/llvm-X.Y-tools.bcep.in: Fix Python 3.14 byte compilation by adding", " an exception for shtest-encoding.py test file containing non-UTF-8", " characters (Igor Luppi). Closes: #1125352. LP: #2138890.", " * Enable libunwind on s390x (Michael R. Crusoe). Closes: #1126263.", "", " [ Fabian Grünbichler ]", " * d/rules: Work around cmake 4.x compat issue. Closes: #1125733.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2138890 ], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 12:25:57 +0100" }, { "cves": [], "log": [ "", " * d/llvm-X.Y-tools.bcep.in: fix bcep exception pattern (LP: #2138890).", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138890 ], "author": "Igor Luppi ", "date": "Mon, 02 Feb 2026 11:59:53 -0300" }, { "cves": [], "log": [ "", " * Cherry-pick change from Debian git", " [ Matthias Klose ]", " * d/llvm-X.Y-tools.bcep.in: Fix Python 3.14 byte compilation by adding", " an exception for shtest-encoding.py test file containing non-UTF-8", " characters (Igor Luppi). LP: #2138890.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138890 ], "author": "Gianfranco Costamagna ", "date": "Sat, 31 Jan 2026 19:43:34 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 26 Jan 2026 20:25:27 +0100" }, { "cves": [], "log": [ "", " * Stop building multilibs on s390x. Closes: #1125253.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 20 Jan 2026 05:14:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcom-err2:armhf", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu2", "version": "1.47.2-3ubuntu2" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu4", "version": "1.47.2-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2138219, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * d/rules: fix pkgconfig call that results in inability", " to find udev rules.d in dh_install. Patch supplied by", " Helmut Grohne in Debian bug 1126636. (LP: #2138219)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138219 ], "author": "John Chittum ", "date": "Fri, 13 Feb 2026 07:17:00 -0500" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:34:31 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcryptsetup12:armhf", "from_version": { "source_package_name": "cryptsetup", "source_package_version": "2:2.8.4-1ubuntu1", "version": "2:2.8.4-1ubuntu1" }, "to_version": { "source_package_name": "cryptsetup", "source_package_version": "2:2.8.4-1ubuntu4", "version": "2:2.8.4-1ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2143933, 2142888, 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick fixes from upstream:", " - tests: Fix tests to not use aes-generic kernel cipher name", " - Add specific error for failed posix_fallocate call.", " * test: use gnudd as workaround in luks2-reencryption-mangle-test", " (LP: #2143933)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143933 ], "author": "Benjamin Drung ", "date": "Wed, 11 Mar 2026 18:58:47 +0100" }, { "cves": [], "log": [ "", " * askpass: Fix FTBFS with glibc 2.43. (Closes: #1128538, LP: #2142888)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142888 ], "author": "Benjamin Drung ", "date": "Wed, 11 Mar 2026 11:53:16 +0100" }, { "cves": [], "log": [ "", " * cryptsetup: recommend dracut over cryptsetup-initramfs (LP: #2142775)", "" ], "package": "cryptsetup", "version": "2:2.8.4-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Tue, 10 Mar 2026 12:24:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl3t64-gnutls:armhf", "from_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu1", "version": "8.18.0-1ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2", "version": "8.18.0-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:15:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.", "cve_priority": "low", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:15:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.", "cve_priority": "low", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: bad reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using", " HTTP Negotiate in lib/url.c.", " - debian/patches/CVE-2026-1965-2.patch: fix copy and paste", " url_match_auth_nego mistake in lib/url.c.", " - CVE-2026-1965", " * SECURITY UPDATE: token leak with redirect and netrc", " - debian/patches/CVE-2026-3783.patch: only send bearer if auth is", " allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006.", " - CVE-2026-3783", " * SECURITY UPDATE: wrong proxy connection reuse with credentials", " - debian/patches/CVE-2026-3784.patch: add additional tests in", " lib/url.c, tests/http/test_13_proxy_auth.py,", " tests/http/testenv/curl.py.", " - CVE-2026-3784", " * SECURITY UPDATE: use after free in SMB connection reuse", " - debian/patches/CVE-2026-3805.patch: free the path in the request", " struct properly in lib/smb.c.", " - CVE-2026-3805", "" ], "package": "curl", "version": "8.18.0-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 09 Mar 2026 08:30:05 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4t64:armhf", "from_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu1", "version": "8.18.0-1ubuntu1" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2", "version": "8.18.0-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:15:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.", "cve_priority": "low", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to the same server also using Negotiate but with `user2:password2` (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1... The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API).", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:15:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.", "cve_priority": "low", "cve_public_date": "2026-03-11 11:16:00 UTC" }, { "cve": "CVE-2026-3805", "url": "https://ubuntu.com/security/CVE-2026-3805", "cve_description": "When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.", "cve_priority": "medium", "cve_public_date": "2026-03-11 11:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: bad reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using", " HTTP Negotiate in lib/url.c.", " - debian/patches/CVE-2026-1965-2.patch: fix copy and paste", " url_match_auth_nego mistake in lib/url.c.", " - CVE-2026-1965", " * SECURITY UPDATE: token leak with redirect and netrc", " - debian/patches/CVE-2026-3783.patch: only send bearer if auth is", " allowed in lib/http.c, tests/data/Makefile.am, tests/data/test2006.", " - CVE-2026-3783", " * SECURITY UPDATE: wrong proxy connection reuse with credentials", " - debian/patches/CVE-2026-3784.patch: add additional tests in", " lib/url.c, tests/http/test_13_proxy_auth.py,", " tests/http/testenv/curl.py.", " - CVE-2026-3784", " * SECURITY UPDATE: use after free in SMB connection reuse", " - debian/patches/CVE-2026-3805.patch: free the path in the request", " struct properly in lib/smb.c.", " - CVE-2026-3805", "" ], "package": "curl", "version": "8.18.0-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 09 Mar 2026 08:30:05 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdbus-1-3:armhf", "from_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu3", "version": "1.16.2-2ubuntu3" }, "to_version": { "source_package_name": "dbus", "source_package_version": "1.16.2-2ubuntu4", "version": "1.16.2-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2141603 ], "changes": [ { "cves": [], "log": [ "", " * dont-stop-dbus.patch: restore Before=sockets.target (LP: #2141603)", "" ], "package": "dbus", "version": "1.16.2-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141603 ], "author": "Benjamin Drung ", "date": "Tue, 03 Mar 2026 12:20:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libelf1t64:armhf", "from_version": { "source_package_name": "elfutils", "source_package_version": "0.194-1", "version": "0.194-1" }, "to_version": { "source_package_name": "elfutils", "source_package_version": "0.194-4", "version": "0.194-4" }, "cves": [], "launchpad_bugs_fixed": [ 2144516 ], "changes": [ { "cves": [], "log": [ "", " * Apply two more patches from the trunk:", " - Fix const-correctness issues.", " - libdwfl: Work around ET_REL files with sh_addr fields set to", " non-zero.", "" ], "package": "elfutils", "version": "0.194-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 17 Mar 2026 15:25:35 +0100" }, { "cves": [], "log": [ "", " [ Sergio Durigan Junior ]", " * d/libdebuginfod-common.postinst: Remove readonly usage when declaring", " local variables. (LP: #2144516)", "", " [ Matthias Klose ]", " * Fix PR dwz/33391, trunk: aarch64: Recognize SHT_AARCH64_ATTRIBUTES.", "" ], "package": "elfutils", "version": "0.194-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2144516 ], "author": "Matthias Klose ", "date": "Tue, 17 Mar 2026 07:31:46 +0100" }, { "cves": [], "log": [ "", " [ Mark Wielaard ]", " * d/p/elfutils-0.194-alloc-jobs.patch: Patch for upstream bug 33580.", "", " [ Matthias Klose ]", " * Update symbols file syntax.", " * Bump standards version.", " * Drop build dependency on gcc-multilib. Closes: #1107128.", " * Drop bashism from debian/libdebuginfod-common.postinst (Nobuhiro Iwamatsu).", " Closes: #1105011.", "" ], "package": "elfutils", "version": "0.194-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 10:41:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libext2fs2t64:armhf", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu2", "version": "1.47.2-3ubuntu2" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu4", "version": "1.47.2-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2138219, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * d/rules: fix pkgconfig call that results in inability", " to find udev rules.d in dh_install. Patch supplied by", " Helmut Grohne in Debian bug 1126636. (LP: #2138219)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138219 ], "author": "John Chittum ", "date": "Fri, 13 Feb 2026 07:17:00 -0500" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:34:31 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdisk1:armhf", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdt1:armhf", "from_version": { "source_package_name": "device-tree-compiler", "source_package_version": "1.7.2-2build1", "version": "1.7.2-2build1" }, "to_version": { "source_package_name": "device-tree-compiler", "source_package_version": "1.7.2-2ubuntu1", "version": "1.7.2-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2114731, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Add upstream patch for uutils compatibility (LP: #2114731)", "" ], "package": "device-tree-compiler", "version": "1.7.2-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2114731 ], "author": "Tobias Heider ", "date": "Tue, 27 Jan 2026 13:09:33 +0100" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "device-tree-compiler", "version": "1.7.2-2build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Sat, 06 Dec 2025 10:41:09 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfreetype6:armhf", "from_version": { "source_package_name": "freetype", "source_package_version": "2.14.1+dfsg-2", "version": "2.14.1+dfsg-2" }, "to_version": { "source_package_name": "freetype", "source_package_version": "2.14.2+dfsg-1", "version": "2.14.2+dfsg-1" }, "cves": [ { "cve": "CVE-2026-23865", "url": "https://ubuntu.com/security/CVE-2026-23865", "cve_description": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.", "cve_priority": "medium", "cve_public_date": "2026-03-02 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-23865", "url": "https://ubuntu.com/security/CVE-2026-23865", "cve_description": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.", "cve_priority": "medium", "cve_public_date": "2026-03-02 17:16:00 UTC" } ], "log": [ "", " * New upstream version 2.14.2:", " - Setting filter weights with FT_Face_Properties is no longer supported.", " - The legacy libXft LCD filter algorithm is no longer provided.", " - Various bug fixes, including for CVE-2026-23865 (integer overflow", " in the tt_var_load_item_variation_store function) (Closes: #1129606).", " * debian/control: Use ${source:*} replacement where possible.", " * debian/copyright: Update Debian copyright for 2026.", " * debian/patches: Refresh ftoption.patch.", "" ], "package": "freetype", "version": "2.14.2+dfsg-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Hugh McMaster ", "date": "Sat, 07 Mar 2026 21:55:55 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfwupd3:armhf", "from_version": { "source_package_name": "fwupd", "source_package_version": "2.0.19-1ubuntu1", "version": "2.0.19-1ubuntu1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "2.1.1-1ubuntu1", "version": "2.1.1-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2146332, 2143688, 2142298, 2139611 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (LP: #2146332)", " * Drop patches merged upstream.", " * Merge with Debian unstable. Remaining changes:", " - d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", "" ], "package": "fwupd", "version": "2.1.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146332 ], "author": "Mario Limonciello ", "date": "Thu, 26 Mar 2026 12:46:28 -0500" }, { "cves": [], "log": [ "", " * New upstream version (2.1.1)", "" ], "package": "fwupd", "version": "2.1.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Wed, 25 Mar 2026 13:18:21 -0500" }, { "cves": [], "log": [ "", " * d/patches/dell-uod-behavior.patch: Backport from 2_0_X branch to fix", " UOD behavior for some Dell docks. (LP: #2143688)", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143688 ], "author": "Mario Limonciello ", "date": "Mon, 09 Mar 2026 11:48:10 -0500" }, { "cves": [], "log": [ "", " * Enable UMA carveout feature (LP: #2142298)", " * Merge from Debian unstable. Remaining changes:", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", " - d/p/fwupdmgr-fde-verify-snapd-recovery-key.patch: Make fwupdmgr", " verify snapd recovery key through prompt on updates affecting FDE.", "" ], "package": "fwupd", "version": "2.0.20-1ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142298 ], "author": "Mario Limonciello ", "date": "Fri, 27 Feb 2026 20:24:47 -0600" }, { "cves": [], "log": [ "", " * New upstream version (2.0.20)", "" ], "package": "fwupd", "version": "2.0.20-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Mario Limonciello ", "date": "Thu, 26 Feb 2026 06:49:36 -0600" }, { "cves": [], "log": [ "", " * Fix snapd bad request on db updates (LP: #2139611):", " - d/p/db-update-snapd-bad-request.patch: On TPM/FDE systems, db updates", " require notifying snapd for preparation. However, the payload uses an", " incorrect format for composite updates. Change the format to align", " with snapd.", "" ], "package": "fwupd", "version": "2.0.19-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139611 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 12:12:45 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcc-s1:armhf", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260217-1ubuntu2", "version": "16-20260217-1ubuntu2" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260315-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:22:54 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260315).", " * Pass configure flags for libgcobol cross builds.", " * For backports, require binutils (>= 2.40) on riscv64.", " * libga68-dev: Depend on libgc-dev. Closes: #1130580.", " * Fix PR ada/107475 also for armhf and s390x.", " * Disable dwz on alpha, see PR dwz/33990.", " * Refresh patches.", " * Update libgcc-s, libcc1, lib*asan, liblsan, libtsan and libgcobol", " symbol files.", "" ], "package": "gcc-16", "version": "16-20260315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:17:23 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * On riscv64, default again to RVA23.", " * Disable bootstrap build on riscv64 entirely for a quick build.", "" ], "package": "gcc-16", "version": "16-20260308-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:49:05 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * Refresh cross-installation-location patch.", "" ], "package": "gcc-16", "version": "16-20260308-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:34:40 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260307).", " * libsanitizer/TSan: Fix determining static TLS blocks. Addresses: #1126312.", " * Refresh patches.", "" ], "package": "gcc-16", "version": "16-20260307-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Mar 2026 09:07:18 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226).", " * On riscv64, default again to RVA23.", "" ], "package": "gcc-16", "version": "16-20260226-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:09:01 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226). Also closes: #1128648.", " * Disable again profiled+lto build on armhf.", " * Fix s390x backport builds.", " * Disable dwz on riscv64, see https://sourceware.org/bugzilla/show_bug.cgi?id=33929.", " * Disable profiled+lto build. See https://gcc.gnu.org/PR124238.", "" ], "package": "gcc-16", "version": "16-20260226-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:00:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgirepository-2.0-0:armhf", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.88.0-1", "version": "2.88.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " - Work around a build regression in NetworkManager with 2.87.x", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.88.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Mon, 16 Mar 2026 21:37:12 +0000" }, { "cves": [], "log": [ "", " * New upstream release", " * d/control: Bump gi-docgen to 2026.1, matching upstream CI", " * d/copyright: Remove comment line.", " The machine-readable syntax doesn't actually allow these. Use", " a double blank line as the divider between Files and standalone", " License paragraphs instead.", "" ], "package": "glib2.0", "version": "2.87.5-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Fri, 13 Mar 2026 16:54:09 +0000" }, { "cves": [], "log": [ "", " * Update the source using the upstream-generated-tarball", " * debian/control: Update breaks on old gjs and pygobject.", " Versions prior to these have not the fallback code to support the", " GLib/GLibUnix split", "" ], "package": "glib2.0", "version": "2.87.3-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Fri, 27 Feb 2026 00:24:46 +0100" }, { "cves": [], "log": [ "", " * New upstream release:", " Upstream has tagged a new release but not produced tarballs yet, due to CI", " problems. Let's get this (the tagged contents) early in experimental", " though, so we can start testing it, but using a pre-version so that we can", " later import the actual 2.87.3. tarball.", " * d/p: Refresh and drop applied patches", " * debian/libglib2.0-0t64.symbols: Update symbols", "" ], "package": "glib2.0", "version": "2.87.3~gitlab0-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Thu, 26 Feb 2026 00:48:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0t64:armhf", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.88.0-1", "version": "2.88.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " - Work around a build regression in NetworkManager with 2.87.x", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.88.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Mon, 16 Mar 2026 21:37:12 +0000" }, { "cves": [], "log": [ "", " * New upstream release", " * d/control: Bump gi-docgen to 2026.1, matching upstream CI", " * d/copyright: Remove comment line.", " The machine-readable syntax doesn't actually allow these. Use", " a double blank line as the divider between Files and standalone", " License paragraphs instead.", "" ], "package": "glib2.0", "version": "2.87.5-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Fri, 13 Mar 2026 16:54:09 +0000" }, { "cves": [], "log": [ "", " * Update the source using the upstream-generated-tarball", " * debian/control: Update breaks on old gjs and pygobject.", " Versions prior to these have not the fallback code to support the", " GLib/GLibUnix split", "" ], "package": "glib2.0", "version": "2.87.3-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Fri, 27 Feb 2026 00:24:46 +0100" }, { "cves": [], "log": [ "", " * New upstream release:", " Upstream has tagged a new release but not produced tarballs yet, due to CI", " problems. Let's get this (the tagged contents) early in experimental", " though, so we can start testing it, but using a pre-version so that we can", " later import the actual 2.87.3. tarball.", " * d/p: Refresh and drop applied patches", " * debian/libglib2.0-0t64.symbols: Update symbols", "" ], "package": "glib2.0", "version": "2.87.3~gitlab0-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Thu, 26 Feb 2026 00:48:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.88.0-1", "version": "2.88.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " - Work around a build regression in NetworkManager with 2.87.x", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.88.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Mon, 16 Mar 2026 21:37:12 +0000" }, { "cves": [], "log": [ "", " * New upstream release", " * d/control: Bump gi-docgen to 2026.1, matching upstream CI", " * d/copyright: Remove comment line.", " The machine-readable syntax doesn't actually allow these. Use", " a double blank line as the divider between Files and standalone", " License paragraphs instead.", "" ], "package": "glib2.0", "version": "2.87.5-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Fri, 13 Mar 2026 16:54:09 +0000" }, { "cves": [], "log": [ "", " * Update the source using the upstream-generated-tarball", " * debian/control: Update breaks on old gjs and pygobject.", " Versions prior to these have not the fallback code to support the", " GLib/GLibUnix split", "" ], "package": "glib2.0", "version": "2.87.3-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Fri, 27 Feb 2026 00:24:46 +0100" }, { "cves": [], "log": [ "", " * New upstream release:", " Upstream has tagged a new release but not produced tarballs yet, due to CI", " problems. Let's get this (the tagged contents) early in experimental", " though, so we can start testing it, but using a pre-version so that we can", " later import the actual 2.87.3. tarball.", " * d/p: Refresh and drop applied patches", " * debian/libglib2.0-0t64.symbols: Update symbols", "" ], "package": "glib2.0", "version": "2.87.3~gitlab0-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Thu, 26 Feb 2026 00:48:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.88.0-1", "version": "2.88.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " - Work around a build regression in NetworkManager with 2.87.x", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.88.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Mon, 16 Mar 2026 21:37:12 +0000" }, { "cves": [], "log": [ "", " * New upstream release", " * d/control: Bump gi-docgen to 2026.1, matching upstream CI", " * d/copyright: Remove comment line.", " The machine-readable syntax doesn't actually allow these. Use", " a double blank line as the divider between Files and standalone", " License paragraphs instead.", "" ], "package": "glib2.0", "version": "2.87.5-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Fri, 13 Mar 2026 16:54:09 +0000" }, { "cves": [], "log": [ "", " * Update the source using the upstream-generated-tarball", " * debian/control: Update breaks on old gjs and pygobject.", " Versions prior to these have not the fallback code to support the", " GLib/GLibUnix split", "" ], "package": "glib2.0", "version": "2.87.3-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Fri, 27 Feb 2026 00:24:46 +0100" }, { "cves": [], "log": [ "", " * New upstream release:", " Upstream has tagged a new release but not produced tarballs yet, due to CI", " problems. Let's get this (the tagged contents) early in experimental", " though, so we can start testing it, but using a pre-version so that we can", " later import the actual 2.87.3. tarball.", " * d/p: Refresh and drop applied patches", " * debian/libglib2.0-0t64.symbols: Update symbols", "" ], "package": "glib2.0", "version": "2.87.3~gitlab0-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Thu, 26 Feb 2026 00:48:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30t64:armhf", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.10-3ubuntu1", "version": "3.8.10-3ubuntu1" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.12-2ubuntu1", "version": "3.8.12-2ubuntu1" }, "cves": [ { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" }, { "cve": "CVE-2026-1584", "url": "https://ubuntu.com/security/CVE-2026-1584", "cve_description": "A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to a denial of service attack via crashing the server.", "cve_priority": "high", "cve_public_date": "2026-02-10" }, { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" }, { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "launchpad_bugs_fixed": [ 213394 ], "changes": [ { "cves": [ { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #213394). Remaining changes:", " - Enable CET.", " - d/patches/crypto-config.patch: also read configuration from", " /var/lib/crypto-config/profiles/current/gnutls.conf", " - Forcefully disable TLS 1.0 and 1.1 through /etc/gnutls/config.", " - Forcefully disable DTLS 0.9 and 1.0 through /etc/gnutls/config.", " - Set default priority string to only allow TLS1.2, DTLS1.2, and", " TLS1.3 with medium security profile (2048 RSA keys minimum, and", " similar).", " * Drop changes:", " - present upstream: debian/patches/CVE-2025-14831-*.patch", " - present upstream: debian/patches/CVE-2025-9820.patch ", "" ], "package": "gnutls28", "version": "3.8.12-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 213394 ], "author": "Anshul Singh ", "date": "Wed, 18 Feb 2026 20:39:01 +0000" }, { "cves": [], "log": [ "", " * While there are no libgnutls-openssl27t64 rdeps in sid anymore there are", " a couple of package which build-depend libgnutls-openssl-dev (but either", " use regular GnuTLS interfaces or do not use GnuTLS at all.) Add back the", " OpenSSl wrapper until this version has propagated to testing.", "" ], "package": "gnutls28", "version": "3.8.12-2", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Wed, 11 Feb 2026 18:18:55 +0100" }, { "cves": [ { "cve": "CVE-2026-1584", "url": "https://ubuntu.com/security/CVE-2026-1584", "cve_description": "A TLS 1.3 resumption attempt with an invalid PSK binder value in ClientHello could lead to a denial of service attack via crashing the server.", "cve_priority": "high", "cve_public_date": "2026-02-10" }, { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" } ], "log": [ "", " * Drop OpenSSL wrapper library.", " * New upstream bugstream release, includes fixes for (inter alia):", " + libgnutls: Fix NULL pointer dereference in PSK binder verification:", " A TLS 1.3 resumption attempt with an invalid PSK binder value in", " ClientHello could lead to a denial of service attack via crashing the", " server. The updated code guards against the problematic dereference.", " Reported by Jaehun Lee.", " [Fixes: GNUTLS-SA-2026-02-09-1, CVSS: high] [CVE-2026-1584]", " + libgnutls: Fix name constraint processing performance issue:", " Verifying certificates with pathological amounts of name constraints", " could lead to a denial of service attack via resource exhaustion.", " Reworked processing algorithms exhibit better performance", " characteristics. Reported by Tim Scheckenbach.", " [Fixes: GNUTLS-SA-2026-02-09-2, CVSS: medium] [CVE-2025-14831]", " * Drop 50_0001-mem-include-headers-for-size_t-and-uint8_t.patch.", " * Update copyright info.", "" ], "package": "gnutls28", "version": "3.8.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Mon, 09 Feb 2026 18:34:29 +0100" }, { "cves": [], "log": [ "", " * Really upload to unstable.", "" ], "package": "gnutls28", "version": "3.8.11-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Sun, 23 Nov 2025 14:55:24 +0100" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "gnutls28", "version": "3.8.11-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Sun, 23 Nov 2025 14:30:24 +0100" }, { "cves": [ { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "log": [ "", " * New upstream version.", " + Includes patch for CVE-2025-9820 / GNUTLS-SA-2025-11-18, which is", " mitigated by Debian building with -D_FORTIFY_SOURCE=2.", " Closes: #1121146", " + Drop superfluous patch, unfuzz.", " + Update symbol file.", " + Update copyright info.", " + Bump nettle-dev dependency to 3.10.", " * Drop Rules-Requires-Root: no", " * Cherry-pick post-release fix.", "" ], "package": "gnutls28", "version": "3.8.11-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Sat, 22 Nov 2025 14:41:00 +0100" }, { "cves": [ { "cve": "CVE-2025-14831", "url": "https://ubuntu.com/security/CVE-2025-14831", "cve_description": "A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).", "cve_priority": "medium", "cve_public_date": "2026-02-09 15:16:00 UTC" }, { "cve": "CVE-2025-9820", "url": "https://ubuntu.com/security/CVE-2025-9820", "cve_description": "A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.", "cve_priority": "low", "cve_public_date": "2026-01-26 20:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: DoS via malicious certificates", " - debian/patches/CVE-2025-14831-*.patch: rework processing algorithms", " to exhibit better performance characteristics in", " lib/x509/name_constraints.c, tests/name-constraints-ip.c.", " - CVE-2025-14831", " * SECURITY UPDATE: stack overflow via long token label", " - debian/patches/CVE-2025-9820.patch: avoid stack overwrite when", " initializing a token in lib/pkcs11_write.c, tests/Makefile.am,", " tests/pkcs11/long-label.c.", " - CVE-2025-9820", "" ], "package": "gnutls28", "version": "3.8.10-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 18 Feb 2026 10:00:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgssapi-krb5-2:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2", "version": "1.22.1-2" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2ubuntu4", "version": "1.22.1-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2144909, 2142893, 2142451, 2037321 ], "changes": [ { "cves": [], "log": [ "", " * d/p/default-enctype-list.patch: do not default to weak encryption", " algorithms (LP: #2144909)", " * d/NEWS: explain weak algorithms are no longer default options", "" ], "package": "krb5", "version": "1.22.1-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144909 ], "author": "Athos Ribeiro ", "date": "Thu, 19 Mar 2026 10:48:16 -0300" }, { "cves": [], "log": [ "", " * d/p/fix-strchr-conformance-to-c23.patch: Fix FTBFS with glibc2.43", " (LP: #2142893)", "" ], "package": "krb5", "version": "1.22.1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142893 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 04 Mar 2026 10:15:11 -0300" }, { "cves": [], "log": [ "", " * Fix FTBFS test t_otp.py (LP: #2142451):", " - d/p/set-fork-start-method-t-otpy.patch: Python 3.14 changes the default", " start method of multiprocessing to 'forkserver'. This introduces issues", " in the test t_otp.py that does not use a main block. Set the start", " method to force 'fork' instead.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142451 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 11:02:32 +0100" }, { "cves": [], "log": [ "", " * Add autopkgtest for includedir-ordering (LP: #2037321):", " - d/tests/includedir-ordering: Add new test.", " - d/tests/kinit: Create /etc/krb5.conf.d/ directory if it doesn't exist.", " - d/tests/util: Prepend includedir /etc/krb5.conf.d/ for the configuration", " file created in create_realm.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2037321 ], "author": "Simon Johnsson ", "date": "Thu, 12 Feb 2026 16:15:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgstreamer1.0-0:armhf", "from_version": { "source_package_name": "gstreamer1.0", "source_package_version": "1.28.0-2", "version": "1.28.0-2" }, "to_version": { "source_package_name": "gstreamer1.0", "source_package_version": "1.28.1-1", "version": "1.28.1-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: update to Standards-Version 4.7.3", " * New upstream version 1.28.1", "" ], "package": "gstreamer1.0", "version": "1.28.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Marc Leeman ", "date": "Thu, 26 Feb 2026 09:13:18 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libibverbs1:armhf", "from_version": { "source_package_name": "rdma-core", "source_package_version": "61.0-2ubuntu1", "version": "61.0-2ubuntu1" }, "to_version": { "source_package_name": "rdma-core", "source_package_version": "61.0-2ubuntu3", "version": "61.0-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2140324 ], "changes": [ { "cves": [], "log": [ "", " * d/p/providers-mana-no-check-cqid.patch: Patching from upstream's", " commit for providers/mana: do not check cqid on creation", " (LP: #2140324).", "" ], "package": "rdma-core", "version": "61.0-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2140324 ], "author": "Miriam España Acebal ", "date": "Wed, 04 Feb 2026 12:56:19 +0100" }, { "cves": [], "log": [ "", " * No-change rebuild with Python 3.14 as default", "" ], "package": "rdma-core", "version": "61.0-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Thu, 22 Jan 2026 21:54:05 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libicu78:armhf", "from_version": { "source_package_name": "icu", "source_package_version": "78.2-1ubuntu1", "version": "78.2-1ubuntu1" }, "to_version": { "source_package_name": "icu", "source_package_version": "78.2-2ubuntu1", "version": "78.2-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - d/p/disable-precision-fpmath-tests-on-i386.patch: add a patch to disable", " precision checking tests on i386 where an imprecise FPU hardware is used", "" ], "package": "icu", "version": "78.2-2ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 02 Mar 2026 18:55:38 +0100" }, { "cves": [], "log": [ "", " * Upload to Sid.", "" ], "package": "icu", "version": "78.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sun, 01 Mar 2026 07:33:36 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libjcat1:armhf", "from_version": { "source_package_name": "libjcat", "source_package_version": "0.2.5-1", "version": "0.2.5-1" }, "to_version": { "source_package_name": "libjcat", "source_package_version": "0.2.5-1build1", "version": "0.2.5-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for gpgme1.0 2.0", "" ], "package": "libjcat", "version": "0.2.5-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ural Tunaboyu ", "date": "Thu, 19 Feb 2026 18:55:42 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libjson-c5:armhf", "from_version": { "source_package_name": "json-c", "source_package_version": "0.18+ds-2", "version": "0.18+ds-2" }, "to_version": { "source_package_name": "json-c", "source_package_version": "0.18+ds-3", "version": "0.18+ds-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/watch: fix mangle options for V5", "" ], "package": "json-c", "version": "0.18+ds-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nicolas Mora ", "date": "Thu, 12 Feb 2026 07:12:58 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libk5crypto3:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2", "version": "1.22.1-2" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2ubuntu4", "version": "1.22.1-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2144909, 2142893, 2142451, 2037321 ], "changes": [ { "cves": [], "log": [ "", " * d/p/default-enctype-list.patch: do not default to weak encryption", " algorithms (LP: #2144909)", " * d/NEWS: explain weak algorithms are no longer default options", "" ], "package": "krb5", "version": "1.22.1-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144909 ], "author": "Athos Ribeiro ", "date": "Thu, 19 Mar 2026 10:48:16 -0300" }, { "cves": [], "log": [ "", " * d/p/fix-strchr-conformance-to-c23.patch: Fix FTBFS with glibc2.43", " (LP: #2142893)", "" ], "package": "krb5", "version": "1.22.1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142893 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 04 Mar 2026 10:15:11 -0300" }, { "cves": [], "log": [ "", " * Fix FTBFS test t_otp.py (LP: #2142451):", " - d/p/set-fork-start-method-t-otpy.patch: Python 3.14 changes the default", " start method of multiprocessing to 'forkserver'. This introduces issues", " in the test t_otp.py that does not use a main block. Set the start", " method to force 'fork' instead.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142451 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 11:02:32 +0100" }, { "cves": [], "log": [ "", " * Add autopkgtest for includedir-ordering (LP: #2037321):", " - d/tests/includedir-ordering: Add new test.", " - d/tests/kinit: Create /etc/krb5.conf.d/ directory if it doesn't exist.", " - d/tests/util: Prepend includedir /etc/krb5.conf.d/ for the configuration", " file created in create_realm.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2037321 ], "author": "Simon Johnsson ", "date": "Thu, 12 Feb 2026 16:15:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libkrb5-3:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2", "version": "1.22.1-2" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2ubuntu4", "version": "1.22.1-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2144909, 2142893, 2142451, 2037321 ], "changes": [ { "cves": [], "log": [ "", " * d/p/default-enctype-list.patch: do not default to weak encryption", " algorithms (LP: #2144909)", " * d/NEWS: explain weak algorithms are no longer default options", "" ], "package": "krb5", "version": "1.22.1-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144909 ], "author": "Athos Ribeiro ", "date": "Thu, 19 Mar 2026 10:48:16 -0300" }, { "cves": [], "log": [ "", " * d/p/fix-strchr-conformance-to-c23.patch: Fix FTBFS with glibc2.43", " (LP: #2142893)", "" ], "package": "krb5", "version": "1.22.1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142893 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 04 Mar 2026 10:15:11 -0300" }, { "cves": [], "log": [ "", " * Fix FTBFS test t_otp.py (LP: #2142451):", " - d/p/set-fork-start-method-t-otpy.patch: Python 3.14 changes the default", " start method of multiprocessing to 'forkserver'. This introduces issues", " in the test t_otp.py that does not use a main block. Set the start", " method to force 'fork' instead.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142451 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 11:02:32 +0100" }, { "cves": [], "log": [ "", " * Add autopkgtest for includedir-ordering (LP: #2037321):", " - d/tests/includedir-ordering: Add new test.", " - d/tests/kinit: Create /etc/krb5.conf.d/ directory if it doesn't exist.", " - d/tests/util: Prepend includedir /etc/krb5.conf.d/ for the configuration", " file created in create_realm.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2037321 ], "author": "Simon Johnsson ", "date": "Thu, 12 Feb 2026 16:15:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libkrb5support0:armhf", "from_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2", "version": "1.22.1-2" }, "to_version": { "source_package_name": "krb5", "source_package_version": "1.22.1-2ubuntu4", "version": "1.22.1-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2144909, 2142893, 2142451, 2037321 ], "changes": [ { "cves": [], "log": [ "", " * d/p/default-enctype-list.patch: do not default to weak encryption", " algorithms (LP: #2144909)", " * d/NEWS: explain weak algorithms are no longer default options", "" ], "package": "krb5", "version": "1.22.1-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144909 ], "author": "Athos Ribeiro ", "date": "Thu, 19 Mar 2026 10:48:16 -0300" }, { "cves": [], "log": [ "", " * d/p/fix-strchr-conformance-to-c23.patch: Fix FTBFS with glibc2.43", " (LP: #2142893)", "" ], "package": "krb5", "version": "1.22.1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142893 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 04 Mar 2026 10:15:11 -0300" }, { "cves": [], "log": [ "", " * Fix FTBFS test t_otp.py (LP: #2142451):", " - d/p/set-fork-start-method-t-otpy.patch: Python 3.14 changes the default", " start method of multiprocessing to 'forkserver'. This introduces issues", " in the test t_otp.py that does not use a main block. Set the start", " method to force 'fork' instead.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142451 ], "author": "Simon Johnsson ", "date": "Mon, 23 Feb 2026 11:02:32 +0100" }, { "cves": [], "log": [ "", " * Add autopkgtest for includedir-ordering (LP: #2037321):", " - d/tests/includedir-ordering: Add new test.", " - d/tests/kinit: Create /etc/krb5.conf.d/ directory if it doesn't exist.", " - d/tests/util: Prepend includedir /etc/krb5.conf.d/ for the configuration", " file created in create_realm.", "" ], "package": "krb5", "version": "1.22.1-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2037321 ], "author": "Simon Johnsson ", "date": "Thu, 12 Feb 2026 16:15:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblastlog2-2:armhf", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libllvm21:armhf", "from_version": { "source_package_name": "llvm-toolchain-21", "source_package_version": "1:21.1.8-1ubuntu1", "version": "1:21.1.8-1ubuntu1" }, "to_version": { "source_package_name": "llvm-toolchain-21", "source_package_version": "1:21.1.8-4ubuntu2", "version": "1:21.1.8-4ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2138890, 2138890, 2138890 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-4ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Feb 2026 21:51:56 +0100" }, { "cves": [], "log": [ "", " [ Matthias Klose ]", " * d/rules: Fix self-referencing macro.", " * Stop building packages now built by LLVM 22.", " * d/rules: Don't use lld for backport build, when not available.", " * d/rules: Add safety check for enablement of the RVA23 baseline.", " * d/rules: Only disable Z3 support for Ubuntu when it is in main.", " * Install a lit binary. Closes: #1122910.", " * llvm-tools: Don't install the lit tests. Closes: #1122909.", "", " [ Sylvestre Ledru ]", " * Fix autopkgtest failure with CMake 4. thanks to Adrian Bunk", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Feb 2026 17:29:38 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", " * Stop building packages now built from LLVM 22.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Feb 2026 11:23:42 +0100" }, { "cves": [], "log": [ "", " [ Matthias Klose ]", " * d/llvm-X.Y-tools.bcep.in: Fix Python 3.14 byte compilation by adding", " an exception for shtest-encoding.py test file containing non-UTF-8", " characters (Igor Luppi). Closes: #1125352. LP: #2138890.", " * Enable libunwind on s390x (Michael R. Crusoe). Closes: #1126263.", "", " [ Fabian Grünbichler ]", " * d/rules: Work around cmake 4.x compat issue. Closes: #1125733.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2138890 ], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 12:25:57 +0100" }, { "cves": [], "log": [ "", " * d/llvm-X.Y-tools.bcep.in: fix bcep exception pattern (LP: #2138890).", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138890 ], "author": "Igor Luppi ", "date": "Mon, 02 Feb 2026 11:59:53 -0300" }, { "cves": [], "log": [ "", " * Cherry-pick change from Debian git", " [ Matthias Klose ]", " * d/llvm-X.Y-tools.bcep.in: Fix Python 3.14 byte compilation by adding", " an exception for shtest-encoding.py test file containing non-UTF-8", " characters (Igor Luppi). LP: #2138890.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138890 ], "author": "Gianfranco Costamagna ", "date": "Sat, 31 Jan 2026 19:43:34 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 26 Jan 2026 20:25:27 +0100" }, { "cves": [], "log": [ "", " * Stop building multilibs on s390x. Closes: #1125253.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 20 Jan 2026 05:14:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblz4-1:armhf", "from_version": { "source_package_name": "lz4", "source_package_version": "1.10.0-6", "version": "1.10.0-6" }, "to_version": { "source_package_name": "lz4", "source_package_version": "1.10.0-8", "version": "1.10.0-8" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/tests/control: Remove architecture-dependent packages from Depends", "" ], "package": "lz4", "version": "1.10.0-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nobuhiro Iwamatsu ", "date": "Tue, 24 Feb 2026 22:28:42 +0900" }, { "cves": [], "log": [ "", " * debian/tests: Enable Autopkgtest.", "" ], "package": "lz4", "version": "1.10.0-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nobuhiro Iwamatsu ", "date": "Wed, 10 Dec 2025 14:02:54 +0900" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmagic-mgc", "from_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build1", "version": "1:5.46-5build1" }, "to_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build2", "version": "1:5.46-5build2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "file", "version": "1:5.46-5build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:37:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmagic1t64:armhf", "from_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build1", "version": "1:5.46-5build1" }, "to_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build2", "version": "1:5.46-5build2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "file", "version": "1:5.46-5build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:37:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmm-glib0:armhf", "from_version": { "source_package_name": "modemmanager", "source_package_version": "1.24.2-2fakesync1", "version": "1.24.2-2fakesync1" }, "to_version": { "source_package_name": "modemmanager", "source_package_version": "1.25.95-1ubuntu1", "version": "1.25.95-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2130166 ], "changes": [ { "cves": [], "log": [ "", " * Fake sync due to mismatching orig tarball", "" ], "package": "modemmanager", "version": "1.24.2-2fakesync1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Fri, 12 Dec 2025 10:22:09 +0100" }, { "cves": [], "log": [ "", " [ Helmut Grohne ]", " * Improve cross building: (Closes: #1087277)", " + Move documentation dependencies to B-D-I.", " + Mark python3-dbus and python3-gi with the nocheck build profile.", "", " [ Arnaud Ferraris ]", " * d/control: fix gobject-introspection dependencies", " `libgirepository1.0-dev shouldn't be used anymore as it isn't", " multiarch-friendly. Instead, use a recent `gobject-introspection` and", " explicitly (build) depend on the needed `gir1.2-*-dev` packages.", " (Closes: #1118899)", " * d/gbp.conf: add default commit messages.", " This makes it more consistent with other packages for which I'm the", " primary maintainer.", " * d/watch: convert to version 5.", " Use the new Gitlab template for easier management, but override the", " matching pattern so we only get stable (pre)releases, which have an even", " minor version number.", " * d/copyright: fix copyright notice for mmcli.", " This is actually GPL-2+, not GPL-3. (Closes: #1116309)", "" ], "package": "modemmanager", "version": "1.24.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arnaud Ferraris ", "date": "Wed, 29 Oct 2025 17:27:49 +0100" }, { "cves": [], "log": [ "", " * Fake sync due to mismatching orig tarball (LP: #2130166)", "" ], "package": "modemmanager", "version": "1.24.2-1fakesync1", "urgency": "medium", "distributions": "resolute-proposed", "launchpad_bugs_fixed": [ 2130166 ], "author": "Jeremy Bícha ", "date": "Tue, 28 Oct 2025 16:54:41 -0400" }, { "cves": [], "log": [ "", " * New upstream release (Closes: #1110197)", " * d/control: drop Rules-Requires-Root.", " This is no longer needed.", "" ], "package": "modemmanager", "version": "1.24.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arnaud Ferraris ", "date": "Mon, 11 Aug 2025 12:00:42 +0200" } ], "notes": null, "is_version_downgrade": true }, { "name": "libmount1:armhf", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmpathcmd0", "from_version": { "source_package_name": "multipath-tools", "source_package_version": "0.12.0-1ubuntu2", "version": "0.12.0-1ubuntu2" }, "to_version": { "source_package_name": "multipath-tools", "source_package_version": "0.14.3-2ubuntu1", "version": "0.14.3-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144005, 2135118, 2080474, 2142903 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2144005). Remaining changes:", " - d/rules: don't build the multipath-tools binary package on i386; only kpartx.", " - d/p/enable-find-multipaths.patch: re-enable find_multipaths by", " default -- see the removed 'add_find-multipaths.patch' (LP 1463046)", " - d/NEWS: add removal of kpartx-boot package", " - d/rules: remove -Bsymbolic-functions from LDFLAGS", " - d/rules: install friendly names multipath.conf by default", " - d/initramfs/scripts/init-top: ensure the bindings file exists before", " calling multipathd -B in the initramfs. This prevents multipathd -B from", " failing and exiting immediately (LP #2120444).", " - d/p/testsuite-no-lto: disable lto to workaround testsuite symbol wrapping", " (LP #2135118)", " * Dropped changes:", " - d/p/multipath-tools-Fix-ISO-C23-errors-with-strchr:", " Fix ISO C23 errors with strchr()", " [upstream in 0.14.0]", " - d/{rules,control}: enable testsuite (LP #2135118)", " [in 0.14.3-1]", " - d/initramfs: move the script stopping multipathd to init-bottom", " [in 0.13.0-1]", " - d/t/initramfs", " + determine extracted main cpio path dynamically", " + drop determine extracted main cpio path dynamically", " [cancel each other out]", "" ], "package": "multipath-tools", "version": "0.14.3-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144005 ], "author": "Jonas Jelten ", "date": "Mon, 16 Mar 2026 18:17:43 +0100" }, { "cves": [], "log": [ "", " * [9ef22a2] Run testsuite only during Arch-builds", " * [2a6ef4b] Disable testsuite on loong64", "" ], "package": "multipath-tools", "version": "0.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 11:49:26 +0100" }, { "cves": [], "log": [ "", " [ Jonas Jelten ]", " * [d6c9eba] Enable testsuite (LP: #2135118)", "", " [ Chris Hofstaedtler ]", " * [5c1230c] New upstream version 0.14.3 (Closes: #1128696)", " * [6e2361a] Rebase patches, use WARN_ONLY=1 in make invocation", "" ], "package": "multipath-tools", "version": "0.14.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2135118 ], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 10:37:01 +0100" }, { "cves": [], "log": [ "", " * [c8842fd] New upstream version 0.13.0", " * [6951eae] d/rules: enable verbose upstream build", " * [3d82dad] initramfs: stop multipathd in init-bottom, not local-bottom.", " Ubuntu noticed that local-* scripts are not executed on systems with", " disks on network. (LP: #2080474)", " * [fc4b508] d/t/control: add linux-image-generic for Ubuntu", " * [1df3a76] d/libmpathpersist0.symbols: tighten internal symbols", " * [6aff684] initramfs: stop requesting old dmsetup_env hack", "" ], "package": "multipath-tools", "version": "0.13.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2080474 ], "author": "Chris Hofstaedtler ", "date": "Sat, 20 Dec 2025 14:16:27 +0100" }, { "cves": [], "log": [ "", " * d/t/initramfs: drop determine extracted main cpio path dynamically", " * multipath-tools: Fix ISO C23 errors with strchr() (LP: #2142903)", "" ], "package": "multipath-tools", "version": "0.12.0-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142903 ], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 16:48:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmpathpersist0", "from_version": { "source_package_name": "multipath-tools", "source_package_version": "0.12.0-1ubuntu2", "version": "0.12.0-1ubuntu2" }, "to_version": { "source_package_name": "multipath-tools", "source_package_version": "0.14.3-2ubuntu1", "version": "0.14.3-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144005, 2135118, 2080474, 2142903 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2144005). Remaining changes:", " - d/rules: don't build the multipath-tools binary package on i386; only kpartx.", " - d/p/enable-find-multipaths.patch: re-enable find_multipaths by", " default -- see the removed 'add_find-multipaths.patch' (LP 1463046)", " - d/NEWS: add removal of kpartx-boot package", " - d/rules: remove -Bsymbolic-functions from LDFLAGS", " - d/rules: install friendly names multipath.conf by default", " - d/initramfs/scripts/init-top: ensure the bindings file exists before", " calling multipathd -B in the initramfs. This prevents multipathd -B from", " failing and exiting immediately (LP #2120444).", " - d/p/testsuite-no-lto: disable lto to workaround testsuite symbol wrapping", " (LP #2135118)", " * Dropped changes:", " - d/p/multipath-tools-Fix-ISO-C23-errors-with-strchr:", " Fix ISO C23 errors with strchr()", " [upstream in 0.14.0]", " - d/{rules,control}: enable testsuite (LP #2135118)", " [in 0.14.3-1]", " - d/initramfs: move the script stopping multipathd to init-bottom", " [in 0.13.0-1]", " - d/t/initramfs", " + determine extracted main cpio path dynamically", " + drop determine extracted main cpio path dynamically", " [cancel each other out]", "" ], "package": "multipath-tools", "version": "0.14.3-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144005 ], "author": "Jonas Jelten ", "date": "Mon, 16 Mar 2026 18:17:43 +0100" }, { "cves": [], "log": [ "", " * [9ef22a2] Run testsuite only during Arch-builds", " * [2a6ef4b] Disable testsuite on loong64", "" ], "package": "multipath-tools", "version": "0.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 11:49:26 +0100" }, { "cves": [], "log": [ "", " [ Jonas Jelten ]", " * [d6c9eba] Enable testsuite (LP: #2135118)", "", " [ Chris Hofstaedtler ]", " * [5c1230c] New upstream version 0.14.3 (Closes: #1128696)", " * [6e2361a] Rebase patches, use WARN_ONLY=1 in make invocation", "" ], "package": "multipath-tools", "version": "0.14.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2135118 ], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 10:37:01 +0100" }, { "cves": [], "log": [ "", " * [c8842fd] New upstream version 0.13.0", " * [6951eae] d/rules: enable verbose upstream build", " * [3d82dad] initramfs: stop multipathd in init-bottom, not local-bottom.", " Ubuntu noticed that local-* scripts are not executed on systems with", " disks on network. (LP: #2080474)", " * [fc4b508] d/t/control: add linux-image-generic for Ubuntu", " * [1df3a76] d/libmpathpersist0.symbols: tighten internal symbols", " * [6aff684] initramfs: stop requesting old dmsetup_env hack", "" ], "package": "multipath-tools", "version": "0.13.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2080474 ], "author": "Chris Hofstaedtler ", "date": "Sat, 20 Dec 2025 14:16:27 +0100" }, { "cves": [], "log": [ "", " * d/t/initramfs: drop determine extracted main cpio path dynamically", " * multipath-tools: Fix ISO C23 errors with strchr() (LP: #2142903)", "" ], "package": "multipath-tools", "version": "0.12.0-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142903 ], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 16:48:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmultipath0", "from_version": { "source_package_name": "multipath-tools", "source_package_version": "0.12.0-1ubuntu2", "version": "0.12.0-1ubuntu2" }, "to_version": { "source_package_name": "multipath-tools", "source_package_version": "0.14.3-2ubuntu1", "version": "0.14.3-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144005, 2135118, 2080474, 2142903 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2144005). Remaining changes:", " - d/rules: don't build the multipath-tools binary package on i386; only kpartx.", " - d/p/enable-find-multipaths.patch: re-enable find_multipaths by", " default -- see the removed 'add_find-multipaths.patch' (LP 1463046)", " - d/NEWS: add removal of kpartx-boot package", " - d/rules: remove -Bsymbolic-functions from LDFLAGS", " - d/rules: install friendly names multipath.conf by default", " - d/initramfs/scripts/init-top: ensure the bindings file exists before", " calling multipathd -B in the initramfs. This prevents multipathd -B from", " failing and exiting immediately (LP #2120444).", " - d/p/testsuite-no-lto: disable lto to workaround testsuite symbol wrapping", " (LP #2135118)", " * Dropped changes:", " - d/p/multipath-tools-Fix-ISO-C23-errors-with-strchr:", " Fix ISO C23 errors with strchr()", " [upstream in 0.14.0]", " - d/{rules,control}: enable testsuite (LP #2135118)", " [in 0.14.3-1]", " - d/initramfs: move the script stopping multipathd to init-bottom", " [in 0.13.0-1]", " - d/t/initramfs", " + determine extracted main cpio path dynamically", " + drop determine extracted main cpio path dynamically", " [cancel each other out]", "" ], "package": "multipath-tools", "version": "0.14.3-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144005 ], "author": "Jonas Jelten ", "date": "Mon, 16 Mar 2026 18:17:43 +0100" }, { "cves": [], "log": [ "", " * [9ef22a2] Run testsuite only during Arch-builds", " * [2a6ef4b] Disable testsuite on loong64", "" ], "package": "multipath-tools", "version": "0.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 11:49:26 +0100" }, { "cves": [], "log": [ "", " [ Jonas Jelten ]", " * [d6c9eba] Enable testsuite (LP: #2135118)", "", " [ Chris Hofstaedtler ]", " * [5c1230c] New upstream version 0.14.3 (Closes: #1128696)", " * [6e2361a] Rebase patches, use WARN_ONLY=1 in make invocation", "" ], "package": "multipath-tools", "version": "0.14.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2135118 ], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 10:37:01 +0100" }, { "cves": [], "log": [ "", " * [c8842fd] New upstream version 0.13.0", " * [6951eae] d/rules: enable verbose upstream build", " * [3d82dad] initramfs: stop multipathd in init-bottom, not local-bottom.", " Ubuntu noticed that local-* scripts are not executed on systems with", " disks on network. (LP: #2080474)", " * [fc4b508] d/t/control: add linux-image-generic for Ubuntu", " * [1df3a76] d/libmpathpersist0.symbols: tighten internal symbols", " * [6aff684] initramfs: stop requesting old dmsetup_env hack", "" ], "package": "multipath-tools", "version": "0.13.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2080474 ], "author": "Chris Hofstaedtler ", "date": "Sat, 20 Dec 2025 14:16:27 +0100" }, { "cves": [], "log": [ "", " * d/t/initramfs: drop determine extracted main cpio path dynamically", " * multipath-tools: Fix ISO C23 errors with strchr() (LP: #2142903)", "" ], "package": "multipath-tools", "version": "0.12.0-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142903 ], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 16:48:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1:armhf", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu1", "version": "1.2-1ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2139598, 2138802 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:44:43 +0100" }, { "cves": [], "log": [ "", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP: #2138802)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138802 ], "author": "Andreas Hasenack ", "date": "Fri, 20 Feb 2026 11:25:14 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnewt0.52:armhf", "from_version": { "source_package_name": "newt", "source_package_version": "0.52.25-1ubuntu2", "version": "0.52.25-1ubuntu2" }, "to_version": { "source_package_name": "newt", "source_package_version": "0.52.25-1ubuntu3", "version": "0.52.25-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "newt", "version": "0.52.25-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:05:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnghttp2-14:armhf", "from_version": { "source_package_name": "nghttp2", "source_package_version": "1.64.0-1.1ubuntu2", "version": "1.64.0-1.1ubuntu2" }, "to_version": { "source_package_name": "nghttp2", "source_package_version": "1.68.0-2", "version": "1.68.0-2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257, 2125171 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "nghttp2", "version": "1.64.0-1.1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Wed, 11 Feb 2026 23:36:42 +0100" }, { "cves": [], "log": [ "", " * d/p/lp-2125171-remove-invalid-c23-macro.patch: Fix build with gcc15.", " Thanks to Tatsuhiro Tsujikawa . (LP: #2125171)", "" ], "package": "nghttp2", "version": "1.64.0-1.1ubuntu1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2125171 ], "author": "Renan Rodrigo ", "date": "Fri, 19 Sep 2025 00:33:01 -0300" }, { "cves": [], "log": [ "", " * No-change rebuild for libxml2 soname change.", "" ], "package": "nghttp2", "version": "1.64.0-1.1build1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 20 May 2025 12:24:07 +0200" } ], "notes": null, "is_version_downgrade": true }, { "name": "libnss-systemd:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnss3:armhf", "from_version": { "source_package_name": "nss", "source_package_version": "2:3.120-1", "version": "2:3.120-1" }, "to_version": { "source_package_name": "nss", "source_package_version": "2:3.120-1ubuntu2", "version": "2:3.120-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-2781", "url": "https://ubuntu.com/security/CVE-2026-2781", "cve_description": "Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.", "cve_priority": "medium", "cve_public_date": "2026-02-24 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142897 ], "changes": [ { "cves": [], "log": [ "", " * d/p/c23-const.patch: fix build with glibc 2.43 (LP: #2142897)", "" ], "package": "nss", "version": "2:3.120-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142897 ], "author": "Simon Poirier ", "date": "Wed, 11 Mar 2026 11:31:16 -0400" }, { "cves": [ { "cve": "CVE-2026-2781", "url": "https://ubuntu.com/security/CVE-2026-2781", "cve_description": "Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.", "cve_priority": "medium", "cve_public_date": "2026-02-24 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in platform-independent ghash", " - debian/patches/CVE-2026-2781.patch: properly cast len in", " nss/lib/freebl/gcm.c.", " - CVE-2026-2781", "" ], "package": "nss", "version": "2:3.120-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 26 Feb 2026 12:49:32 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libopeniscsiusr", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu2", "version": "2.1.11-3ubuntu2" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu3", "version": "2.1.11-3ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2143886 ], "changes": [ { "cves": [], "log": [ "", " * d/t/patch-image: also look for arch all packages (LP: #2143886)", "" ], "package": "open-iscsi", "version": "2.1.11-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143886 ], "author": "Benjamin Drung ", "date": "Thu, 12 Mar 2026 00:48:53 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libp11-kit0:armhf", "from_version": { "source_package_name": "p11-kit", "source_package_version": "0.25.10-1", "version": "0.25.10-1" }, "to_version": { "source_package_name": "p11-kit", "source_package_version": "0.26.2-2", "version": "0.26.2-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "p11-kit", "version": "0.26.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Sat, 21 Feb 2026 13:58:53 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", " * update debian/copyright", " * [lintian] Drop redundant Priority: optional", " * [lintian] Drop redundant Rules-Requires-Root: no", " * [lintian] Drop now invalid kfreebsd-any arch-string in control file.", "" ], "package": "p11-kit", "version": "0.26.2-1", "urgency": "low", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Sun, 08 Feb 2026 16:35:36 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpcap0.8t64:armhf", "from_version": { "source_package_name": "libpcap", "source_package_version": "1.10.5-2ubuntu3", "version": "1.10.5-2ubuntu3" }, "to_version": { "source_package_name": "libpcap", "source_package_version": "1.10.6-1ubuntu1", "version": "1.10.6-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-11961", "url": "https://ubuntu.com/security/CVE-2025-11961", "cve_description": "pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.", "cve_priority": "low", "cve_public_date": "2025-12-31 01:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Add Build-Depends on libibverbs-dev to enable RDMA support.", " LP #2006557.", " - Have -dev package depend on libibverbs-dev per pkgconfig", " - Don't require ibverbs on i386", "" ], "package": "libpcap", "version": "1.10.6-1ubuntu1", "urgency": "low", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Tue, 17 Feb 2026 09:53:24 +0100" }, { "cves": [ { "cve": "CVE-2025-11961", "url": "https://ubuntu.com/security/CVE-2025-11961", "cve_description": "pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.", "cve_priority": "low", "cve_public_date": "2025-12-31 01:15:00 UTC" } ], "log": [ "", " * Team upload.", " * New upstream version 1.10.6", " - Fixes CVE-2025-11961 (Closes: #1124381)", " * Switch watch file format to version 5", " * Update signing key E089DEF1D9C15D0D (extended until 2026-05-10)", " * Add d/upstream/metadata", " * d/control:", " - Remove redundant \"Rules-Requires-Root: no\"", " - Remove redundant \"Priority: optional\"", " - Bump Standards-Version to 4.7.3 (no changes required)", " * Overhaul d/copyright, rewrite in machine-readable format", "" ], "package": "libpcap", "version": "1.10.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Peter Wienemann ", "date": "Sun, 15 Feb 2026 19:18:22 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libperl5.40:armhf", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-6build1", "version": "5.40.1-6build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Reupload to resolute", "" ], "package": "perl", "version": "5.40.1-7build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Sebastien Bacher ", "date": "Tue, 17 Mar 2026 11:45:39 +0100" }, { "cves": [], "log": [ "", " [ Helmut Grohne ]", " * Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)", "" ], "package": "perl", "version": "5.40.1-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sun, 16 Nov 2025 22:01:11 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libplymouth5:armhf", "from_version": { "source_package_name": "plymouth", "source_package_version": "24.004.60+git20250831.4a3c171d-0ubuntu6", "version": "24.004.60+git20250831.4a3c171d-0ubuntu6" }, "to_version": { "source_package_name": "plymouth", "source_package_version": "24.004.60+git20250831.4a3c171d-0ubuntu8", "version": "24.004.60+git20250831.4a3c171d-0ubuntu8" }, "cves": [], "launchpad_bugs_fixed": [ 2116296 ], "changes": [ { "cves": [], "log": [ "", " * d/local/spinner:", " - Update spinner to use Resolute loader", " - Increase number of animation stills to 60", "" ], "package": "plymouth", "version": "24.004.60+git20250831.4a3c171d-0ubuntu8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Simon Johnsson ", "date": "Thu, 12 Mar 2026 15:27:04 +0100" }, { "cves": [], "log": [ "", " * debian/patches/force-scale-guessing.patch:", " - Always \"guess\" the device scale (LP: #2116296)", "" ], "package": "plymouth", "version": "24.004.60+git20250831.4a3c171d-0ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2116296 ], "author": "Daniel van Vugt ", "date": "Fri, 06 Mar 2026 11:35:01 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3-stdlib:armhf", "from_version": { "source_package_name": "python3-defaults", "source_package_version": "3.13.9-3", "version": "3.13.9-3" }, "to_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu1", "version": "3.14.3-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove Python 3.13 as a supported version", " * Bump version to 3.14.3", "" ], "package": "python3-defaults", "version": "3.14.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Fri, 13 Mar 2026 21:32:47 +0000" }, { "cves": [], "log": [ "", " * Upload to experimental.", " * Make Python 3.14 the default version.", "" ], "package": "python3-defaults", "version": "3.14.2-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 11 Jan 2026 07:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-minimal:armhf", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1ubuntu1", "version": "3.13.12-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865 ", "" ], "package": "python3.13", "version": "3.13.12-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:54:15 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-stdlib:armhf", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1ubuntu1", "version": "3.13.12-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865 ", "" ], "package": "python3.13", "version": "3.13.12-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:54:15 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14:armhf", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-1", "version": "3.14.3-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Update to the 3.14 branch 2026-03-21.", " * Drop build dependency on blt, gone since 3.13.", "" ], "package": "python3.14", "version": "3.14.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 12:37:05 +0100" }, { "cves": [], "log": [ "", " [ Stefano Rivera ]", " * Drop explicit Build-Depends on quilt, it's only used in manual rules", " targets. Closes: #1129933.", " * Use dh_usrlocal to create /usr/local/python3.14/dist-packages.", " Closes: #1127103.", "", " [ Matthias Klose ]", " * Update to the 3.14 branch 2026-03-11.", "" ], "package": "python3.14", "version": "3.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 11 Mar 2026 20:17:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14-minimal:armhf", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-1", "version": "3.14.3-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Update to the 3.14 branch 2026-03-21.", " * Drop build dependency on blt, gone since 3.13.", "" ], "package": "python3.14", "version": "3.14.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 12:37:05 +0100" }, { "cves": [], "log": [ "", " [ Stefano Rivera ]", " * Drop explicit Build-Depends on quilt, it's only used in manual rules", " targets. Closes: #1129933.", " * Use dh_usrlocal to create /usr/local/python3.14/dist-packages.", " Closes: #1127103.", "", " [ Matthias Klose ]", " * Update to the 3.14 branch 2026-03-11.", "" ], "package": "python3.14", "version": "3.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 11 Mar 2026 20:17:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14-stdlib:armhf", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-1", "version": "3.14.3-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Update to the 3.14 branch 2026-03-21.", " * Drop build dependency on blt, gone since 3.13.", "" ], "package": "python3.14", "version": "3.14.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 12:37:05 +0100" }, { "cves": [], "log": [ "", " [ Stefano Rivera ]", " * Drop explicit Build-Depends on quilt, it's only used in manual rules", " targets. Closes: #1129933.", " * Use dh_usrlocal to create /usr/local/python3.14/dist-packages.", " Closes: #1127103.", "", " [ Matthias Klose ]", " * Update to the 3.14 branch 2026-03-11.", "" ], "package": "python3.14", "version": "3.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 11 Mar 2026 20:17:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libreadline8t64:armhf", "from_version": { "source_package_name": "readline", "source_package_version": "8.3-3", "version": "8.3-3" }, "to_version": { "source_package_name": "readline", "source_package_version": "8.3-4", "version": "8.3-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Apply upstream patches 002-0031.", " * Bump standards version.", "" ], "package": "readline", "version": "8.3-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 13 Feb 2026 11:25:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsasl2-2:armhf", "from_version": { "source_package_name": "cyrus-sasl2", "source_package_version": "2.1.28+dfsg1-9ubuntu1", "version": "2.1.28+dfsg1-9ubuntu1" }, "to_version": { "source_package_name": "cyrus-sasl2", "source_package_version": "2.1.28+dfsg1-9ubuntu3", "version": "2.1.28+dfsg1-9ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2142320, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Disable postgresql support in the libsasl2-modules-sql on i386 since", " postgresql is no longer build for that architecture (LP: #2142320):", " - d/control: don't build-depend on libpq-dev on i386", " - d/rules: only enable pgsql if not on i386", "" ], "package": "cyrus-sasl2", "version": "2.1.28+dfsg1-9ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142320 ], "author": "Andreas Hasenack ", "date": "Fri, 20 Feb 2026 15:43:09 -0300" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "cyrus-sasl2", "version": "2.1.28+dfsg1-9ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Fri, 06 Feb 2026 21:12:22 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsasl2-modules:armhf", "from_version": { "source_package_name": "cyrus-sasl2", "source_package_version": "2.1.28+dfsg1-9ubuntu1", "version": "2.1.28+dfsg1-9ubuntu1" }, "to_version": { "source_package_name": "cyrus-sasl2", "source_package_version": "2.1.28+dfsg1-9ubuntu3", "version": "2.1.28+dfsg1-9ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2142320, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Disable postgresql support in the libsasl2-modules-sql on i386 since", " postgresql is no longer build for that architecture (LP: #2142320):", " - d/control: don't build-depend on libpq-dev on i386", " - d/rules: only enable pgsql if not on i386", "" ], "package": "cyrus-sasl2", "version": "2.1.28+dfsg1-9ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142320 ], "author": "Andreas Hasenack ", "date": "Fri, 20 Feb 2026 15:43:09 -0300" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "cyrus-sasl2", "version": "2.1.28+dfsg1-9ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Fri, 06 Feb 2026 21:12:22 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsasl2-modules-db:armhf", "from_version": { "source_package_name": "cyrus-sasl2", "source_package_version": "2.1.28+dfsg1-9ubuntu1", "version": "2.1.28+dfsg1-9ubuntu1" }, "to_version": { "source_package_name": "cyrus-sasl2", "source_package_version": "2.1.28+dfsg1-9ubuntu3", "version": "2.1.28+dfsg1-9ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2142320, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Disable postgresql support in the libsasl2-modules-sql on i386 since", " postgresql is no longer build for that architecture (LP: #2142320):", " - d/control: don't build-depend on libpq-dev on i386", " - d/rules: only enable pgsql if not on i386", "" ], "package": "cyrus-sasl2", "version": "2.1.28+dfsg1-9ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142320 ], "author": "Andreas Hasenack ", "date": "Fri, 20 Feb 2026 15:43:09 -0300" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "cyrus-sasl2", "version": "2.1.28+dfsg1-9ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Fri, 06 Feb 2026 21:12:22 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libseccomp2:armhf", "from_version": { "source_package_name": "libseccomp", "source_package_version": "2.6.0-2ubuntu4", "version": "2.6.0-2ubuntu4" }, "to_version": { "source_package_name": "libseccomp", "source_package_version": "2.6.0-2ubuntu5", "version": "2.6.0-2ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "libseccomp", "version": "2.6.0-2ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 11:30:57 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libselinux1:armhf", "from_version": { "source_package_name": "libselinux", "source_package_version": "3.9-4", "version": "3.9-4" }, "to_version": { "source_package_name": "libselinux", "source_package_version": "3.9-4build1", "version": "3.9-4build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "libselinux", "version": "3.9-4build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:05:23 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsemanage-common", "from_version": { "source_package_name": "libsemanage", "source_package_version": "3.9-1", "version": "3.9-1" }, "to_version": { "source_package_name": "libsemanage", "source_package_version": "3.9-1build1", "version": "3.9-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "libsemanage", "version": "3.9-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 11:32:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsemanage2:armhf", "from_version": { "source_package_name": "libsemanage", "source_package_version": "3.9-1", "version": "3.9-1" }, "to_version": { "source_package_name": "libsemanage", "source_package_version": "3.9-1build1", "version": "3.9-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "libsemanage", "version": "3.9-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 11:32:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsgutils2-1.48:armhf", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu2", "version": "1.48-3ubuntu2" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Recommend dracut as default initrd generator (LP: #2142775)", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Fri, 27 Feb 2026 18:12:12 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsmartcols1:armhf", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libss2:armhf", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu2", "version": "1.47.2-3ubuntu2" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu4", "version": "1.47.2-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2138219, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * d/rules: fix pkgconfig call that results in inability", " to find udev rules.d in dh_install. Patch supplied by", " Helmut Grohne in Debian bug 1126636. (LP: #2138219)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138219 ], "author": "John Chittum ", "date": "Fri, 13 Feb 2026 07:17:00 -0500" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:34:31 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssh2-1t64:armhf", "from_version": { "source_package_name": "libssh2", "source_package_version": "1.11.1-1build1", "version": "1.11.1-1build1" }, "to_version": { "source_package_name": "libssh2", "source_package_version": "1.11.1-1build2", "version": "1.11.1-1build2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "libssh2", "version": "1.11.1-1build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:42:48 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3t64:armhf", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.3-1ubuntu2", "version": "3.5.3-1ubuntu2" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu1", "version": "3.5.5-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-11187", "url": "https://ubuntu.com/security/CVE-2025-11187", "cve_description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15468", "url": "https://ubuntu.com/security/CVE-2025-15468", "cve_description": "Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15469", "url": "https://ubuntu.com/security/CVE-2025-15469", "cve_description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-66199", "url": "https://ubuntu.com/security/CVE-2025-66199", "cve_description": "Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2141941, 2141708, 2137464, 2133492 ], "changes": [ { "cves": [], "log": [ "", " [ Eric Berry ]", " * Enable CPU jitter fluctuations", " * Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS", " provider (LP: #2141941)", "", " [ Ravi Kant Sharma ]", " * Merge with Debian unstable (LP: #2141708). Remaining changes:", " - d/p/regex_match_ecp_nistp521-ppc64.patch", " - Use perl:native in the autopkgtest for installability on i386.", " - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl", " - Disable LTO with which the codebase is generally incompatible", " (LP #2058017)", " - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins", " - Don't enable or package anything FIPS (LP #2087955)", " - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)", " - Enable CPU jitter fluctuations", " - fips patches (debian/patches/fips):", " - crypto: Add kernel FIPS mode detection", " - crypto: Automatically use the FIPS provider...", " - apps/speed: Omit unavailable algorithms in FIPS mode", " - apps: pass -propquery arg to the libctx DRBG fetches", " - test: Ensure encoding runs with the correct context...", " - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)", " + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH", " + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE", " - Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS", " provider", " * Refreshed patches", " - fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch", " - fips/two-defines-for-fips-in-libssl-dev-headers.patch", " - fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch", "" ], "package": "openssl", "version": "3.5.5-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141941, 2141708 ], "author": "Ravi Kant Sharma ", "date": "Sun, 15 Feb 2026 14:56:21 +0100" }, { "cves": [ { "cve": "CVE-2025-11187", "url": "https://ubuntu.com/security/CVE-2025-11187", "cve_description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15468", "url": "https://ubuntu.com/security/CVE-2025-15468", "cve_description": "Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15469", "url": "https://ubuntu.com/security/CVE-2025-15469", "cve_description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-66199", "url": "https://ubuntu.com/security/CVE-2025-66199", "cve_description": "Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "log": [ "", " * Import 3.5.5", " - CVE-2025-11187 (Improper validation of PBMAC1 parameters in PKCS#12 MAC", " verification)", " - CVE-2025-15467 (Stack buffer overflow in CMS AuthEnvelopedData parsing)", " - CVE-2025-15468 (NULL dereference in SSL_CIPHER_find() function on unknown", " cipher ID)", " - CVE-2025-15469 (\"openssl dgst\" one-shot codepath silently truncates inputs", " >16MB)", " - CVE-2025-66199 (TLS 1.3 CompressedCertificate excessive memory allocation)", " - CVE-2025-68160 (Heap out-of-bounds write in BIO_f_linebuffer on short", " writes)", " - CVE-2025-69418 (Unauthenticated/unencrypted trailing bytes with low-level", " OCB function calls)", " - CVE-2025-69419 (Out of bounds write in PKCS12_get_friendlyname() UTF-8", " conversion)", " - CVE-2025-69420 (Missing ASN1_TYPE validation in TS_RESP_verify_response()", " function)", " - CVE-2025-69421 (NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex", " function)", " - CVE-2026-22795 (Missing ASN1_TYPE validation in PKCS#12 parsing)", " - CVE-2026-22796 (ASN1_TYPE Type Confusion in the", " - PKCS7_digest_from_attributes() function)", "" ], "package": "openssl", "version": "3.5.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sebastian Andrzej Siewior ", "date": "Tue, 27 Jan 2026 21:09:55 +0100" }, { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)", " - d/p/regex_match_ecp_nistp521-ppc64.patch", " * Drop patches, merged upstream", " - d/p/CVE-2025-9230.patch", " - d/p/CVE-2025-9231-1.patch", " - d/p/CVE-2025-9231-2.patch", " - d/p/CVE-2025-9232.patch ", " * Merge with Debian unstable (LP: #2133492). Remaining changes:", " - Use perl:native in the autopkgtest for installability on i386.", " - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl", " - Disable LTO with which the codebase is generally incompatible (LP #2058017)", " - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins", " - Don't enable or package anything FIPS (LP #2087955)", " - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)", " - fips patches (debian/patches/fips):", " - crypto: Add kernel FIPS mode detection", " - crypto: Automatically use the FIPS provider...", " - apps/speed: Omit unavailable algorithms in FIPS mode", " - apps: pass -propquery arg to the libctx DRBG fetches", " - test: Ensure encoding runs with the correct context...", " - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)", " + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH", " + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE", "" ], "package": "openssl", "version": "3.5.4-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137464, 2133492 ], "author": "Ravi Kant Sharma ", "date": "Thu, 08 Jan 2026 15:53:39 +0100" }, { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * Import 3.5.4", " - CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)", " - CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)", " - CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)", "" ], "package": "openssl", "version": "3.5.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sebastian Andrzej Siewior ", "date": "Tue, 30 Sep 2025 21:54:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libstdc++6:armhf", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260217-1ubuntu2", "version": "16-20260217-1ubuntu2" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260315-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:22:54 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260315).", " * Pass configure flags for libgcobol cross builds.", " * For backports, require binutils (>= 2.40) on riscv64.", " * libga68-dev: Depend on libgc-dev. Closes: #1130580.", " * Fix PR ada/107475 also for armhf and s390x.", " * Disable dwz on alpha, see PR dwz/33990.", " * Refresh patches.", " * Update libgcc-s, libcc1, lib*asan, liblsan, libtsan and libgcobol", " symbol files.", "" ], "package": "gcc-16", "version": "16-20260315-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 13:17:23 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * On riscv64, default again to RVA23.", " * Disable bootstrap build on riscv64 entirely for a quick build.", "" ], "package": "gcc-16", "version": "16-20260308-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:49:05 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260308).", " * Refresh cross-installation-location patch.", "" ], "package": "gcc-16", "version": "16-20260308-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Mar 2026 09:34:40 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260307).", " * libsanitizer/TSan: Fix determining static TLS blocks. Addresses: #1126312.", " * Refresh patches.", "" ], "package": "gcc-16", "version": "16-20260307-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Mar 2026 09:07:18 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226).", " * On riscv64, default again to RVA23.", "" ], "package": "gcc-16", "version": "16-20260226-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:09:01 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260226). Also closes: #1128648.", " * Disable again profiled+lto build on armhf.", " * Fix s390x backport builds.", " * Disable dwz on riscv64, see https://sourceware.org/bugzilla/show_bug.cgi?id=33929.", " * Disable profiled+lto build. See https://gcc.gnu.org/PR124238.", "" ], "package": "gcc-16", "version": "16-20260226-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 26 Feb 2026 06:00:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtirpc-common", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.6+ds-1", "version": "1.3.6+ds-1" }, "to_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.6+ds-1ubuntu1", "version": "1.3.6+ds-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2124967 ], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick upstream commits to fix FTBFS with GCC 15", " (LP: #2124967)", "" ], "package": "libtirpc", "version": "1.3.6+ds-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2124967 ], "author": "Graham Inggs ", "date": "Wed, 18 Feb 2026 19:05:07 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtirpc3t64:armhf", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.6+ds-1", "version": "1.3.6+ds-1" }, "to_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.6+ds-1ubuntu1", "version": "1.3.6+ds-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2124967 ], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick upstream commits to fix FTBFS with GCC 15", " (LP: #2124967)", "" ], "package": "libtirpc", "version": "1.3.6+ds-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2124967 ], "author": "Graham Inggs ", "date": "Wed, 18 Feb 2026 19:05:07 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1:armhf", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudisks2-0:armhf", "from_version": { "source_package_name": "udisks2", "source_package_version": "2.10.91-1ubuntu1", "version": "2.10.91-1ubuntu1" }, "to_version": { "source_package_name": "udisks2", "source_package_version": "2.10.91-1ubuntu2", "version": "2.10.91-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26103", "url": "https://ubuntu.com/security/CVE-2026-26103", "cve_description": "A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" }, { "cve": "CVE-2026-26104", "url": "https://ubuntu.com/security/CVE-2026-26104", "cve_description": "A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-26103", "url": "https://ubuntu.com/security/CVE-2026-26103", "cve_description": "A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" }, { "cve": "CVE-2026-26104", "url": "https://ubuntu.com/security/CVE-2026-26104", "cve_description": "A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Missing polkit permission checks", " - debian/patches/CVE-2026-26103.patch: Add missing polkit check for", " RestoreEncryptedHeader().", " - debian/patches/CVE-2026-26104.patch: Add missing polkit check for", " HeaderBackup()", " - CVE-2026-26103", " - CVE-2026-26104", "" ], "package": "udisks2", "version": "2.10.91-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 26 Feb 2026 13:05:58 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libunistring5:armhf", "from_version": { "source_package_name": "libunistring", "source_package_version": "1.3-2", "version": "1.3-2" }, "to_version": { "source_package_name": "libunistring", "source_package_version": "1.3-2build1", "version": "1.3-2build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "libunistring", "version": "1.3-2build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:42:57 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libuuid1:armhf", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libvolume-key1:armhf", "from_version": { "source_package_name": "volume-key", "source_package_version": "0.3.12-10", "version": "0.3.12-10" }, "to_version": { "source_package_name": "volume-key", "source_package_version": "0.3.12-10build2", "version": "0.3.12-10build2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for gpgme1.0 2.0", "" ], "package": "volume-key", "version": "0.3.12-10build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ural Tunaboyu ", "date": "Thu, 19 Feb 2026 18:57:59 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild with Python 3.14 as default", "" ], "package": "volume-key", "version": "0.3.12-10build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Thu, 22 Jan 2026 22:05:19 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxml2-16:armhf", "from_version": { "source_package_name": "libxml2", "source_package_version": "2.15.1+dfsg-2ubuntu1", "version": "2.15.1+dfsg-2ubuntu1" }, "to_version": { "source_package_name": "libxml2", "source_package_version": "2.15.2+dfsg-0.1", "version": "2.15.2+dfsg-0.1" }, "cves": [ { "cve": "CVE-2026-1757", "url": "https://ubuntu.com/security/CVE-2026-1757", "cve_description": "A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.", "cve_priority": "low", "cve_public_date": "2026-02-02 13:15:00 UTC" }, { "cve": "CVE-2026-0990", "url": "https://ubuntu.com/security/CVE-2026-0990", "cve_description": "A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0992", "url": "https://ubuntu.com/security/CVE-2026-0992", "cve_description": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2025-10911", "url": "https://ubuntu.com/security/CVE-2025-10911", "cve_description": "A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.", "cve_priority": "medium", "cve_public_date": "2025-09-25 16:15:00 UTC" }, { "cve": "CVE-2026-0989", "url": "https://ubuntu.com/security/CVE-2026-0989", "cve_description": "A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1757", "url": "https://ubuntu.com/security/CVE-2026-1757", "cve_description": "A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.", "cve_priority": "low", "cve_public_date": "2026-02-02 13:15:00 UTC" }, { "cve": "CVE-2026-0990", "url": "https://ubuntu.com/security/CVE-2026-0990", "cve_description": "A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0992", "url": "https://ubuntu.com/security/CVE-2026-0992", "cve_description": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2025-10911", "url": "https://ubuntu.com/security/CVE-2025-10911", "cve_description": "A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.", "cve_priority": "medium", "cve_public_date": "2025-09-25 16:15:00 UTC" }, { "cve": "CVE-2026-0989", "url": "https://ubuntu.com/security/CVE-2026-0989", "cve_description": "A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" } ], "log": [ "", " * Non-maintainer upload.", " * New upstream bug fix release.", " Security issues:", " - CVE-2026-1757 fix: Memory leak in xmllint Shell - shell.c", " - CVE-2026-0990 fix: Prevent infinite recursion in", " xmlCatalogListXMLResolve. Closes: #1125695.", " - CVE-2026-0992 fix: Exponential behavior when handling", " parser: Fix infinite loop in xmlCtxtParseContent. Closes: #1125696.", " - CVE-2025-10911 libxslt related: Ignore next/prev of documents when", " traversing XPath", " - CVE-2026-0989 fix: Add RelaxNG include limit. Closes: #1125691.", " - xmlIO: use size_t for buffer size reallocation", " - uri: fix signed integer overflow in xmlBuildRelativeURISafe", " - schematron: fix memory leaks on error paths in xmlSchematronParseRule", " - catalog: fix stack overflow from self-referencing SGML CATALOG entries", " Improvements", " - fuzz: Make fuzzy encoding match more lenient", " - Fix C14N type confusion", " - meson: Fix build with Meson < 1.3", " - xmllint: Use zlib directly", " - xmllint: New option to separate xpath results using null, --xpath0", " - autotools: Make valgrind actually check for leaks", " - meson: Add valgrind test setup", " - Fix xmlOutputBufferGetContent output when encoder is set", " - threads: don't force _WIN32_WINNT to Vista if it's set to a higher value", " - dist: Add generated documentation to the dist as \"dist-doc\" folder", " to simplify downstream packaging of doc", " - Fix xmlRemoveEntity removing from wrong hash table", " - use duplicating variant in relaxng to mitigate UAF", " - Fix memory leak in xmlTextWriterStartAttributeNS on OOM", " - meson: remove hardcoded buildtype=debug default", " - Fix memory leak of prefix in xmlTextWriterStartElementNS()", " - writer: Add a few extra NULL checks to avoid memory leaks on corrupt", " writer path.", " * Update symbols file.", " * Don't include the sources twice in the libxml2-source package.", " * Bump standards version.", "" ], "package": "libxml2", "version": "2.15.2+dfsg-0.1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 25 Mar 2026 14:30:48 +0100" }, { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "libxml2", "version": "2.15.1+dfsg-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:02:28 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-base", "from_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu3", "version": "4.15ubuntu3" }, "to_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu4", "version": "4.15ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * apport/source_linux.py: Always attach 'dpkg --list'", "" ], "package": "linux-base", "version": "4.15ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Juerg Haefliger ", "date": "Tue, 03 Mar 2026 13:01:59 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-10.10", "" ], "package": "linux-meta", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-9.9", "" ], "package": "linux-meta", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:45 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-8.8", "" ], "package": "linux-meta", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:02:22 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-7.7", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Drop v4l2loopback and zfs-modules from Provides, they've moved", " to linux-main-modules.", " - [Packaging] Wrap dependency fields", " - [Packaging] Add linux-main-modules-zfs to generic Depends", "" ], "package": "linux-meta", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:55:46 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-6.6", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", "" ], "package": "linux-meta", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:21:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-5.5", "" ], "package": "linux-meta", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-4.4", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 11:23:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-3.3", "" ], "package": "linux-meta-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:27:36 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-2.2", "" ], "package": "linux-meta-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:28:04 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-1.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:38:24 +0100" }, { "cves": [], "log": [ "", " * Empty entry", "" ], "package": "linux-meta-unstable", "version": "7.0.0-0.0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:33:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-10.10", "" ], "package": "linux-meta", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-9.9", "" ], "package": "linux-meta", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:45 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-8.8", "" ], "package": "linux-meta", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:02:22 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-7.7", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Drop v4l2loopback and zfs-modules from Provides, they've moved", " to linux-main-modules.", " - [Packaging] Wrap dependency fields", " - [Packaging] Add linux-main-modules-zfs to generic Depends", "" ], "package": "linux-meta", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:55:46 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-6.6", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", "" ], "package": "linux-meta", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:21:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-5.5", "" ], "package": "linux-meta", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-4.4", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 11:23:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-3.3", "" ], "package": "linux-meta-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:27:36 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-2.2", "" ], "package": "linux-meta-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:28:04 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-1.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:38:24 +0100" }, { "cves": [], "log": [ "", " * Empty entry", "" ], "package": "linux-meta-unstable", "version": "7.0.0-0.0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:33:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-10.10", "" ], "package": "linux-meta", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-9.9", "" ], "package": "linux-meta", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:45 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-8.8", "" ], "package": "linux-meta", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:02:22 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-7.7", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Drop v4l2loopback and zfs-modules from Provides, they've moved", " to linux-main-modules.", " - [Packaging] Wrap dependency fields", " - [Packaging] Add linux-main-modules-zfs to generic Depends", "" ], "package": "linux-meta", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:55:46 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-6.6", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", "" ], "package": "linux-meta", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:21:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-5.5", "" ], "package": "linux-meta", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-4.4", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 11:23:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-3.3", "" ], "package": "linux-meta-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:27:36 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-2.2", "" ], "package": "linux-meta-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:28:04 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-1.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:38:24 +0100" }, { "cves": [], "log": [ "", " * Empty entry", "" ], "package": "linux-meta-unstable", "version": "7.0.0-0.0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:33:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-sysctl-defaults", "from_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu3", "version": "4.15ubuntu3" }, "to_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu4", "version": "4.15ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * apport/source_linux.py: Always attach 'dpkg --list'", "" ], "package": "linux-base", "version": "4.15ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Juerg Haefliger ", "date": "Tue, 03 Mar 2026 13:01:59 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-common", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-10.10", "" ], "package": "linux-meta", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-9.9", "" ], "package": "linux-meta", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:45 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-8.8", "" ], "package": "linux-meta", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:02:22 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-7.7", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Drop v4l2loopback and zfs-modules from Provides, they've moved", " to linux-main-modules.", " - [Packaging] Wrap dependency fields", " - [Packaging] Add linux-main-modules-zfs to generic Depends", "" ], "package": "linux-meta", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:55:46 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-6.6", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", "" ], "package": "linux-meta", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:21:07 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-5.5", "" ], "package": "linux-meta", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-4.4", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 11:23:49 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-3.3", "" ], "package": "linux-meta-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:27:36 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-2.2", "" ], "package": "linux-meta-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:28:04 +0100" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-1.1", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:38:24 +0100" }, { "cves": [], "log": [ "", " * Empty entry", "" ], "package": "linux-meta-unstable", "version": "7.0.0-0.0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:33:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "locales", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.43-2ubuntu1", "version": "2.43-2ubuntu1" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian experimental (LP: #2143767)", " Delta dropped:", " - Don't strip ld.so on armhf. LP #1927192.", " - Enable systemtap support, which is currently disabled in Debian.", " - Fix gconv regression on i386", " - Stop building with --enable-sframe for now.", " - s390x: drop the 32-bit multi-arch variant (LP #2067350)", " * Fixed upstream:", " - NPTL: Optimize trylock for high cache contention workloads (LP: #2138256) ", " * Update from upstream:", " - Don't include directly", " - po: Incorporate translatins (nl updated, ar new)", " * d/watch: modernize watchfile delta to v5", " * Fix broken ldconfig, static-pie binary on riscv64", " Revert RVV memset variant patch. (LP: #2142067)", "" ], "package": "glibc", "version": "2.43-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "author": "Simon Poirier ", "date": "Tue, 17 Feb 2026 16:52:35 -0500" }, { "cves": [], "log": [ "", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "" ], "package": "glibc", "version": "2.43-2", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Samuel Thibault ", "date": "Fri, 30 Jan 2026 01:41:14 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream release:", " - debian/copyright: update following upstream changes.", " - debian/symbols.wildcards: add 2.43.", " - debian/patches/git-updates.diff: update from upstream stable branch.", " - debian/patches/hurd-i386/local-enable-ldconfig.diff: rebased.", " - debian/patches/hurd-i386/git-sigreturn-SEGV.diff: upstreamed.", " - debian/patches/hurd-i386/git-rlimit-as.diff: upstreamed.", " - debian/patches/hurd-i386/git-run-iconv-test.sh.diff: upstreamed.", " - debian/patches/hurd-i386/git-elf-ordering.diff: upstreamed.", " - debian/patches/hurd-i386/git-rename.diff: upstreamed.", " - debian/patches/hurd-i386/git-signal-SSE-MMX.diff: upstreamed.", " - debian/patches/hurd-i386/git-sigreturn-xmm.diff: upstreamed.", " - debian/patches/hurd-i386/git-cancel-stack.diff: upstreamed.", " - debian/patches/i386/unsubmitted-quiet-ldconfig.diff: rebased.", " - debian/patches/any/local-asserth-decls.diff: rebased.", " - debian/patches/any/local-tcsetaddr.diff: rebased.", " - debian/patches/any/submitted-nptl-invalid-td.patch: drop, obsolete.", " - debian/patches/any/git-ldd-set-u.diff: upstreamed.", " - debian/patches/any/git-linux-termios.diff: upstreamed.", " - debian/patches/hurd-i386/submitted-net.diff: rebased.", " - debian/patches/hurd-i386/tg-bits_atomic.h_multiple_threads.diff: drop,", " obsolete.", " - debian/patches/hurd-i386/local-clock_gettime_MONOTONIC.diff: rebased.", " - debian/patches/hurd-i386/local-fix-nss.diff: rebased.", " - debian/libc0.3.symbols.hurd-i386: update following the move of symbols", " from libpthread.so.0.3 to libc.so.0.3.", "" ], "package": "glibc", "version": "2.43-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 28 Jan 2026 22:35:15 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: ignore new tst-pie-bss-static issue on", " hurd for now.", "", " [ Aurelien Jarno ]", " * debian/control: regenerate. Closes: #1127589.", "" ], "package": "glibc", "version": "2.42-13", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Tue, 10 Feb 2026 18:54:23 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-fork-gdb.diff: Fix gdb after fork.", " * debian/patches/hurd-i386/local-execstack.diff: Drop, fixed in binutils.", " * debian/patches/hurd-i386/git-sig-sig-mmx-fix.diff: Fix mmx corruption on", " double-signal.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Drop, now fixed.", " * debian/patches/hurd-i386/git-cancel-sig.diff: Fix cancellation points in", " signals during cancellation points.", " * debian/testsuite-xfail-debian.mk: Update accordingly.", "", " [ Aurelien Jarno ]", " * debian/control.in/*, debian/glibc-source.filelist,", " debian/libc6-s390.symbols.s390x, debian/rules.d/control.mk,", " debian/sysdeps/s390x.mk: stop building a 31-bit multilib flavour on s390x.", "" ], "package": "glibc", "version": "2.42-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 07 Feb 2026 22:23:34 +0100" }, { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/local-execstack.diff: Work around missing execstack", " on libc.so.", "", " [ Aurelien Jarno ]", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix bug in wordexp, which could return uninitialized memory when using", " WRDE_REUSE together with WRDE_APPEND (CVE-2025-15281). Closes: #1126266.", " - Switch currency symbol for the bg_BG locale to euro.", "" ], "package": "glibc", "version": "2.42-11", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 26 Jan 2026 23:40:35 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/sysdeps/{amd64,arm64,i386,x32}.mk: disable SFrame support. Closes:", " #1125944.", " * debian/control.in/{main,libc}: drop versioned Build-Depends and Breaks on", " binutils 2.45, now pointless.", "" ], "package": "glibc", "version": "2.42-10", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 19 Jan 2026 20:12:24 +0100" }, { "cves": [], "log": [ "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-cancel-stack.diff: Fix crash on cancellation", " with unaligned stack.", "", " [ Aurelien Jarno ]", " * debian/rules.d/debhelper.mk: do not strip ld.so on armhf. Closes:", " #1125796.", "" ], "package": "glibc", "version": "2.42-9", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 18 Jan 2026 11:52:41 +0100" }, { "cves": [ { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " [ Samuel Thibault ]", " * debian/testsuite-xfail-debian.mk: Avoid running tst-writev on hurd-amd64.", " * debian/patches/hurd-i386/git-sigreturn-xmm.diff: Fix sigreturn using xmm", " registers in the signal contention case.", " * debian/patches/hurd-i386/local-intr-msg-clobber.diff: Try to re-introduce", " mmx clobber work-around.", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "", " [ Aurelien Jarno ]", " * debian/rules.d/build.mk: do not write BUILD_CXX to configparms, it's", " unused.", " * debian/patches/git-updates.diff: update from upstream stable branch:", " - Fix and integer overflow in _int_memalign leading to heap corruption", " (CVE-2026-0861). Closes: #1125678.", " - Fix stack contents leak in getnetbyaddr (CVE-2026-0915). Closes:", " #1125748.", " - Optimize trylock for high cache contention workloads.", "", " [ Helmut Grohne ]", " * debian/control.in/main: avoid g++ dependency in nocheck builds.", " * debian/control.in/main, rules, rules.d/build.mk: don't build nscd in", " stage2.", "" ], "package": "glibc", "version": "2.42-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 16 Jan 2026 21:50:10 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/control.in/libc, debian/rules.d/debhelper.mk: drop libcrypt-dev", " dependency from libc6-dev. Thanks to Helmut Grohne for proposing that,", " doing an archive rebuild and filling the bug reports.", " * debian/control.in/main, debian/sysdeps/linux.mk: enable SystemTap static", " probes.", " * debian/debhelper.in/libc-dev.NEWS: add a NEWS entry about the removal of", " the obsolete termio interface. Closes: #1124068.", " * debian/rules.d/debhelper.mk: ensure that linker scripts work even when", " /usr is unmerged. Closes: #1120508", " * debian/debhelper.in/libc-dev{,-alt}.lintian-overrides,", " source/lintian-overrides, rules.d/debhelper.mk, salsa-ci.yml: drop", " unpack-message-for-{orig,source} overrides, fixed in lintian 2.128.0.", " * debian/control.in/main: drop Rules-Requires-Root: no, this is now the", " default.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: remove", " the workaround for GLIBC_ABI_GNU_TLS. Closes: #1122038.", " * debian/control.in/{libc,i386}: ensure that libdpkg-perl is fixed wrt", " GLIBC_ABI_GNU_TLS.", "" ], "package": "glibc", "version": "2.42-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 04 Jan 2026 10:07:24 +0100" }, { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * debian/control: add new lines when concatenating files", " * Update debian/watch to version 5", "", " [ Aurelien Jarno ]", " * debian/symbols.wildcards: adjust ABI flags version:", " - Fix corresponding to GLIBC_ABI_DT_X86_64_PLT was first corrected in 2.36", " - Fix corresponding to GLIBC_ABI_GNU2_TLS as first corrected in 2.40", " * debian/control.in/libc, debian/control.in/main: remove breaks, conflicts", " and (build-)depends already satisfied in bookworm.", " * debian/control.in/amd64, debian/control.in/libc: add a Breaks against", " binutils (<< 2.45) for builds with sframe support enabled.", " * debian/control.in/main, debian/rules: build with GCC 15.", " * debian/patches/git-updates.diff: update from upstream stable branch.", "", " [ Baptiste Jammet ]", " * Update French debconf translation. Closes: #1118006.", "" ], "package": "glibc", "version": "2.42-6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 12 Dec 2025 18:37:16 +0100" }, { "cves": [], "log": [ "", " [ Martin Bagge ]", " * Update Swedish debconf translation. Closes: #1121991.", "", " [ Aurelien Jarno ]", " * debian/control.in/main: change libc-gconv-modules-extra to Multi-Arch:", " same as it contains libraries.", " * debian/libc6.symbols.i386, debian/libc6-i386.symbols.{amd64,x32}: force", " the minimum libc6 version to >= 2.42, to ensure GLIBC_ABI_GNU_TLS is", " available, given symbols in .gnu.version_r section are currently not", " handled by dpkg-shlibdeps.", "" ], "package": "glibc", "version": "2.42-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 06 Dec 2025 23:02:46 +0100" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "glibc", "version": "2.42-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 03 Dec 2025 23:03:48 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * debian/patches/any/git-ldd-set-u.diff: backport fix to allow using", " set -u on ldd. Closes: #1114824.", " * debian/patches/git-updates.diff: update from upstream stable branch.", " * debian/patches/any/git-linux-termios.diff: backport fix for termios", " regression with non-standard baud rate.", "", " [ Samuel Thibault ]", " * debian/patches/hurd-i386/git-sigreturn-SEGV.diff: catch SIGSEGV on", " returning from signal handler.", " * debian/patches/hurd-i386/git-rlimit-as.diff: Support RLIMIT_AS.", " * debian/patches/hurd-i386/local-aux-pagesz.diff: Fix getauxval(AT_PAGESZ).", " * debian/patches/hurd-i386/git-run-iconv-test.sh.diff: Fix running iconv", " tests.", " * debian/patches/hurd-i386/git-elf-ordering.diff: Fix running ELF ordering", " tests.", " * debian/patches/hurd-i386/git-rename.diff: Fix renaming directories with", " trailing slahes.", " * debian/patches/hurd-i386/git-signal-SSE-MMX.diff: Fix signals thrashing", " SSE&MMX state.", "" ], "package": "glibc", "version": "2.42-3", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sat, 29 Nov 2025 19:36:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "login", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "1:4.16.0-2+really2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "1:4.16.0-2+really2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "logsave", "from_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu2", "version": "1.47.2-3ubuntu2" }, "to_version": { "source_package_name": "e2fsprogs", "source_package_version": "1.47.2-3ubuntu4", "version": "1.47.2-3ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2138219, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * d/rules: fix pkgconfig call that results in inability", " to find udev rules.d in dh_install. Patch supplied by", " Helmut Grohne in Debian bug 1126636. (LP: #2138219)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138219 ], "author": "John Chittum ", "date": "Fri, 13 Feb 2026 07:17:00 -0500" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "e2fsprogs", "version": "1.47.2-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:34:31 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "lshw", "from_version": { "source_package_name": "lshw", "source_package_version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu2", "version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu2" }, "to_version": { "source_package_name": "lshw", "source_package_version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu3", "version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2127480 ], "changes": [ { "cves": [], "log": [ "", " * Fix incorrect fb detection (LP: #2127480):", " - d/p/lp2127480-0001-improve-fb-detection.patch", " - d/p/lp2127480-0002-another-try-at-fixing-the-Github-fbdev-issue.patch", "" ], "package": "lshw", "version": "02.19.git.2021.06.19.996aaad9c7-2.1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2127480 ], "author": "Robert Malz ", "date": "Tue, 28 Oct 2025 11:28:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "lxd-agent-loader", "from_version": { "source_package_name": "lxd-agent-loader", "source_package_version": "0.9ubuntu0", "version": "0.9ubuntu0" }, "to_version": { "source_package_name": "lxd-agent-loader", "source_package_version": "0.13ubuntu0", "version": "0.13ubuntu0" }, "cves": [], "launchpad_bugs_fixed": [ 2144337, 2142801, 2139197, 2141967 ], "changes": [ { "cves": [], "log": [ "", " * Unconditionally install `udev` rules (LP: #2144337)", "" ], "package": "lxd-agent-loader", "version": "0.13ubuntu0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144337 ], "author": "Simon Deziel ", "date": "Fri, 13 Mar 2026 12:12:17 -0400" }, { "cves": [], "log": [ "", " * Only install `udev` rules for arches needing them", "" ], "package": "lxd-agent-loader", "version": "0.12ubuntu0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Simon Deziel ", "date": "Wed, 04 Mar 2026 09:09:16 -0500" }, { "cves": [], "log": [ "", " * Reinstate `udev` rules for arches lacking DMI support (LP: #2142801)", "" ], "package": "lxd-agent-loader", "version": "0.11ubuntu0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142801 ], "author": "Simon Deziel ", "date": "Sat, 28 Feb 2026 18:34:30 -0500" }, { "cves": [], "log": [ "", " * Update paths for compat with `usrmerge` (LP: #2139197)", " - lxd-agent.service: `lxd-agent-setup` is now under `/usr/lib`", " - debian/install: put files into `/usr/lib`", " * Replace udev activation by system generator (LP: #2141967)", "" ], "package": "lxd-agent-loader", "version": "0.10ubuntu0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139197, 2141967 ], "author": "Simon Deziel ", "date": "Wed, 18 Feb 2026 12:06:41 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "mdadm", "from_version": { "source_package_name": "mdadm", "source_package_version": "4.4-11ubuntu3", "version": "4.4-11ubuntu3" }, "to_version": { "source_package_name": "mdadm", "source_package_version": "4.5-5ubuntu1", "version": "4.5-5ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2130173, 2144935 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2130173). Remaining changes:", " - d/{control,mdadm.install,/finalrd/mdadm.finalrd}: ship a finalrd hook", " * New changes to fix autopkgtests:", " - d/t/control: add allow-stderr restriction", " - d/t/test-installed: disable failing on error and skip tests", " Use same test settings as the upstream github tests to prevent", " failing after error and disable problematic or extra long tests", " - d/p/u/disable-tests-failing-on-ubuntu.patch: disable some tests", " that fail either intermittently or consistently on Ubuntu (LP: #2144935)", "" ], "package": "mdadm", "version": "4.5-5ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2130173, 2144935 ], "author": "Ural Tunaboyu ", "date": "Thu, 19 Feb 2026 15:24:04 -0800" }, { "cves": [], "log": [ "", " * Updating watch file to version 5.", " * Cherry-picking patch from upstream to fix probing non-DDF which in", " turns fixes timeouts in dracut tests, thanks to Benjamin Drung", " for reporting (Closes: #1128401).", "" ], "package": "mdadm", "version": "4.5-5", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Thu, 19 Feb 2026 12:45:48 +0100" }, { "cves": [], "log": [ "", " * Always including efivarfs to have generic initramfs, thanks to Roland", " Clobus (Closes: #1114521).", "" ], "package": "mdadm", "version": "4.5-4", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Thu, 05 Feb 2026 04:17:16 +0100" }, { "cves": [], "log": [ "", " * Cherry-picking patch from upstream to load md_mod first before setting", " module parameter legacy_async_del_gendisk (Closes: #1125390).", "" ], "package": "mdadm", "version": "4.5-3", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Wed, 04 Feb 2026 19:56:52 +0100" }, { "cves": [], "log": [ "", " * Adding Chinese (simplified) debconf translations from Yangfl", " (Closes: #1124731).", " * Adding Chinese (traditional) debconf translations from Yangfl", " (Closes: #1124731).", "" ], "package": "mdadm", "version": "4.5-2", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Tue, 06 Jan 2026 07:34:33 +0100" }, { "cves": [], "log": [ "", " * Updating to standards version 4.7.3.", " * Wrap and sorting debian files.", " * Merging upstream version 4.5.", " * Updating years in copyright for 2026.", " * Refreshing randomize-timers.patch.", " * Removing xmalloc-ftbfs.patch, included upstream.", " * Removing monitor-nonabsolute-devnames.patch, included upstream.", " * Removing monitor-memory-leak.patch, included upstream.", " * Removing manpage-remove-bitmap.patch, included upstream.", "" ], "package": "mdadm", "version": "4.5-1", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Sun, 04 Jan 2026 07:27:28 +0100" }, { "cves": [], "log": [ "", " * Removing rules-requires-root, not needed anymore.", " * Adding updated Swedish debconf translations from Martin Bagge", " (Closes: #1121992).", " * Adding updated Catalan debconf translations from Carles Pina i Estany", " (Closes: #1117573).", "" ], "package": "mdadm", "version": "4.4-14", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Sun, 07 Dec 2025 09:32:47 +0100" }, { "cves": [], "log": [ "", " * Adding patch from QRPp to fix fails", " with with relative ARRAY devnames (Closes: #1114744).", " * Adding patch from Peter Mann to fix memory leak in", " mdadm --monitor --scan (Closes: #1115497).", " * Adding updated Italian debconf translations from Luca Monducci", " (Closes: #1114858).", " * Removing in initramfs hook a reference to old documentation file", " removed by upstream, thanks to Lionel Elie Mamane ", " (Closes: #1112392).", "" ], "package": "mdadm", "version": "4.4-13", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Thu, 18 Sep 2025 15:20:58 +0200" }, { "cves": [], "log": [ "", " * Removing old link to git.debian.org in README.recipes.", " * Correcting wrong file reference in README.recipes.", " * Adding updated Portuguese debconf translations from Américo Monteiro", " (Closes: #1107438).", "" ], "package": "mdadm", "version": "4.4-12", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Wed, 03 Sep 2025 04:12:40 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "modemmanager", "from_version": { "source_package_name": "modemmanager", "source_package_version": "1.24.2-2fakesync1", "version": "1.24.2-2fakesync1" }, "to_version": { "source_package_name": "modemmanager", "source_package_version": "1.25.95-1ubuntu1", "version": "1.25.95-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2130166 ], "changes": [ { "cves": [], "log": [ "", " * Fake sync due to mismatching orig tarball", "" ], "package": "modemmanager", "version": "1.24.2-2fakesync1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Fri, 12 Dec 2025 10:22:09 +0100" }, { "cves": [], "log": [ "", " [ Helmut Grohne ]", " * Improve cross building: (Closes: #1087277)", " + Move documentation dependencies to B-D-I.", " + Mark python3-dbus and python3-gi with the nocheck build profile.", "", " [ Arnaud Ferraris ]", " * d/control: fix gobject-introspection dependencies", " `libgirepository1.0-dev shouldn't be used anymore as it isn't", " multiarch-friendly. Instead, use a recent `gobject-introspection` and", " explicitly (build) depend on the needed `gir1.2-*-dev` packages.", " (Closes: #1118899)", " * d/gbp.conf: add default commit messages.", " This makes it more consistent with other packages for which I'm the", " primary maintainer.", " * d/watch: convert to version 5.", " Use the new Gitlab template for easier management, but override the", " matching pattern so we only get stable (pre)releases, which have an even", " minor version number.", " * d/copyright: fix copyright notice for mmcli.", " This is actually GPL-2+, not GPL-3. (Closes: #1116309)", "" ], "package": "modemmanager", "version": "1.24.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arnaud Ferraris ", "date": "Wed, 29 Oct 2025 17:27:49 +0100" }, { "cves": [], "log": [ "", " * Fake sync due to mismatching orig tarball (LP: #2130166)", "" ], "package": "modemmanager", "version": "1.24.2-1fakesync1", "urgency": "medium", "distributions": "resolute-proposed", "launchpad_bugs_fixed": [ 2130166 ], "author": "Jeremy Bícha ", "date": "Tue, 28 Oct 2025 16:54:41 -0400" }, { "cves": [], "log": [ "", " * New upstream release (Closes: #1110197)", " * d/control: drop Rules-Requires-Root.", " This is no longer needed.", "" ], "package": "modemmanager", "version": "1.24.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arnaud Ferraris ", "date": "Mon, 11 Aug 2025 12:00:42 +0200" } ], "notes": null, "is_version_downgrade": true }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "multipath-tools", "from_version": { "source_package_name": "multipath-tools", "source_package_version": "0.12.0-1ubuntu2", "version": "0.12.0-1ubuntu2" }, "to_version": { "source_package_name": "multipath-tools", "source_package_version": "0.14.3-2ubuntu1", "version": "0.14.3-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144005, 2135118, 2080474, 2142903 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2144005). Remaining changes:", " - d/rules: don't build the multipath-tools binary package on i386; only kpartx.", " - d/p/enable-find-multipaths.patch: re-enable find_multipaths by", " default -- see the removed 'add_find-multipaths.patch' (LP 1463046)", " - d/NEWS: add removal of kpartx-boot package", " - d/rules: remove -Bsymbolic-functions from LDFLAGS", " - d/rules: install friendly names multipath.conf by default", " - d/initramfs/scripts/init-top: ensure the bindings file exists before", " calling multipathd -B in the initramfs. This prevents multipathd -B from", " failing and exiting immediately (LP #2120444).", " - d/p/testsuite-no-lto: disable lto to workaround testsuite symbol wrapping", " (LP #2135118)", " * Dropped changes:", " - d/p/multipath-tools-Fix-ISO-C23-errors-with-strchr:", " Fix ISO C23 errors with strchr()", " [upstream in 0.14.0]", " - d/{rules,control}: enable testsuite (LP #2135118)", " [in 0.14.3-1]", " - d/initramfs: move the script stopping multipathd to init-bottom", " [in 0.13.0-1]", " - d/t/initramfs", " + determine extracted main cpio path dynamically", " + drop determine extracted main cpio path dynamically", " [cancel each other out]", "" ], "package": "multipath-tools", "version": "0.14.3-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144005 ], "author": "Jonas Jelten ", "date": "Mon, 16 Mar 2026 18:17:43 +0100" }, { "cves": [], "log": [ "", " * [9ef22a2] Run testsuite only during Arch-builds", " * [2a6ef4b] Disable testsuite on loong64", "" ], "package": "multipath-tools", "version": "0.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 11:49:26 +0100" }, { "cves": [], "log": [ "", " [ Jonas Jelten ]", " * [d6c9eba] Enable testsuite (LP: #2135118)", "", " [ Chris Hofstaedtler ]", " * [5c1230c] New upstream version 0.14.3 (Closes: #1128696)", " * [6e2361a] Rebase patches, use WARN_ONLY=1 in make invocation", "" ], "package": "multipath-tools", "version": "0.14.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2135118 ], "author": "Chris Hofstaedtler ", "date": "Mon, 02 Mar 2026 10:37:01 +0100" }, { "cves": [], "log": [ "", " * [c8842fd] New upstream version 0.13.0", " * [6951eae] d/rules: enable verbose upstream build", " * [3d82dad] initramfs: stop multipathd in init-bottom, not local-bottom.", " Ubuntu noticed that local-* scripts are not executed on systems with", " disks on network. (LP: #2080474)", " * [fc4b508] d/t/control: add linux-image-generic for Ubuntu", " * [1df3a76] d/libmpathpersist0.symbols: tighten internal symbols", " * [6aff684] initramfs: stop requesting old dmsetup_env hack", "" ], "package": "multipath-tools", "version": "0.13.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2080474 ], "author": "Chris Hofstaedtler ", "date": "Sat, 20 Dec 2025 14:16:27 +0100" }, { "cves": [], "log": [ "", " * d/t/initramfs: drop determine extracted main cpio path dynamically", " * multipath-tools: Fix ISO C23 errors with strchr() (LP: #2142903)", "" ], "package": "multipath-tools", "version": "0.12.0-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142903 ], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 16:48:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netbase", "from_version": { "source_package_name": "netbase", "source_package_version": "6.5", "version": "6.5" }, "to_version": { "source_package_name": "netbase", "source_package_version": "6.5build1", "version": "6.5build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "netbase", "version": "6.5build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:29:50 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu1", "version": "1.2-1ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2139598, 2138802 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:44:43 +0100" }, { "cves": [], "log": [ "", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP: #2138802)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138802 ], "author": "Andreas Hasenack ", "date": "Fri, 20 Feb 2026 11:25:14 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu1", "version": "1.2-1ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2139598, 2138802 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:44:43 +0100" }, { "cves": [], "log": [ "", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP: #2138802)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138802 ], "author": "Andreas Hasenack ", "date": "Fri, 20 Feb 2026 11:25:14 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "open-iscsi", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu2", "version": "2.1.11-3ubuntu2" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu3", "version": "2.1.11-3ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2143886 ], "changes": [ { "cves": [], "log": [ "", " * d/t/patch-image: also look for arch all packages (LP: #2143886)", "" ], "package": "open-iscsi", "version": "2.1.11-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143886 ], "author": "Benjamin Drung ", "date": "Thu, 12 Mar 2026 00:48:53 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu1", "version": "1:10.2p1-2ubuntu1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3", "version": "1:10.2p1-2ubuntu3" }, "cves": [ { "cve": "CVE-2026-3497", "url": "https://ubuntu.com/security/CVE-2026-3497", "cve_description": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "cve_priority": "medium", "cve_public_date": "2026-03-12 19:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144812 ], "changes": [ { "cves": [], "log": [ "", " * d/p/gss-api-defaults.patch: do not default to weak GSS-API", " exchange algorithms (LP: #2144812)", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144812 ], "author": "Athos Ribeiro ", "date": "Wed, 18 Mar 2026 16:23:48 -0300" }, { "cves": [ { "cve": "CVE-2026-3497", "url": "https://ubuntu.com/security/CVE-2026-3497", "cve_description": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "cve_priority": "medium", "cve_public_date": "2026-03-12 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: GSSAPI Key Exchange issue", " - debian/patches/gssapi.patch: replace incorrect use of", " sshpkt_disconnect() with ssh_packet_disconnect() and properly", " initialize some vars.", " - CVE-2026-3497", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:05:34 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu1", "version": "1:10.2p1-2ubuntu1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3", "version": "1:10.2p1-2ubuntu3" }, "cves": [ { "cve": "CVE-2026-3497", "url": "https://ubuntu.com/security/CVE-2026-3497", "cve_description": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "cve_priority": "medium", "cve_public_date": "2026-03-12 19:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144812 ], "changes": [ { "cves": [], "log": [ "", " * d/p/gss-api-defaults.patch: do not default to weak GSS-API", " exchange algorithms (LP: #2144812)", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144812 ], "author": "Athos Ribeiro ", "date": "Wed, 18 Mar 2026 16:23:48 -0300" }, { "cves": [ { "cve": "CVE-2026-3497", "url": "https://ubuntu.com/security/CVE-2026-3497", "cve_description": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "cve_priority": "medium", "cve_public_date": "2026-03-12 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: GSSAPI Key Exchange issue", " - debian/patches/gssapi.patch: replace incorrect use of", " sshpkt_disconnect() with ssh_packet_disconnect() and properly", " initialize some vars.", " - CVE-2026-3497", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:05:34 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu1", "version": "1:10.2p1-2ubuntu1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3", "version": "1:10.2p1-2ubuntu3" }, "cves": [ { "cve": "CVE-2026-3497", "url": "https://ubuntu.com/security/CVE-2026-3497", "cve_description": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "cve_priority": "medium", "cve_public_date": "2026-03-12 19:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2144812 ], "changes": [ { "cves": [], "log": [ "", " * d/p/gss-api-defaults.patch: do not default to weak GSS-API", " exchange algorithms (LP: #2144812)", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144812 ], "author": "Athos Ribeiro ", "date": "Wed, 18 Mar 2026 16:23:48 -0300" }, { "cves": [ { "cve": "CVE-2026-3497", "url": "https://ubuntu.com/security/CVE-2026-3497", "cve_description": "Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program without setting the related connection variables. As the variables are not initialized to NULL the code later accesses those uninitialized variables, accessing random memory, which could lead to undefined behavior. The recommended workaround is to use ssh_packet_disconnect() instead, which does terminate the process. The impact of the vulnerability depends heavily on the compiler flag hardening configuration.", "cve_priority": "medium", "cve_public_date": "2026-03-12 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: GSSAPI Key Exchange issue", " - debian/patches/gssapi.patch: replace incorrect use of", " sshpkt_disconnect() with ssh_packet_disconnect() and properly", " initialize some vars.", " - CVE-2026-3497", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:05:34 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.3-1ubuntu2", "version": "3.5.3-1ubuntu2" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu1", "version": "3.5.5-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-11187", "url": "https://ubuntu.com/security/CVE-2025-11187", "cve_description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15468", "url": "https://ubuntu.com/security/CVE-2025-15468", "cve_description": "Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15469", "url": "https://ubuntu.com/security/CVE-2025-15469", "cve_description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-66199", "url": "https://ubuntu.com/security/CVE-2025-66199", "cve_description": "Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2141941, 2141708, 2137464, 2133492 ], "changes": [ { "cves": [], "log": [ "", " [ Eric Berry ]", " * Enable CPU jitter fluctuations", " * Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS", " provider (LP: #2141941)", "", " [ Ravi Kant Sharma ]", " * Merge with Debian unstable (LP: #2141708). Remaining changes:", " - d/p/regex_match_ecp_nistp521-ppc64.patch", " - Use perl:native in the autopkgtest for installability on i386.", " - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl", " - Disable LTO with which the codebase is generally incompatible", " (LP #2058017)", " - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins", " - Don't enable or package anything FIPS (LP #2087955)", " - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)", " - Enable CPU jitter fluctuations", " - fips patches (debian/patches/fips):", " - crypto: Add kernel FIPS mode detection", " - crypto: Automatically use the FIPS provider...", " - apps/speed: Omit unavailable algorithms in FIPS mode", " - apps: pass -propquery arg to the libctx DRBG fetches", " - test: Ensure encoding runs with the correct context...", " - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)", " + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH", " + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE", " - Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS", " provider", " * Refreshed patches", " - fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch", " - fips/two-defines-for-fips-in-libssl-dev-headers.patch", " - fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch", "" ], "package": "openssl", "version": "3.5.5-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141941, 2141708 ], "author": "Ravi Kant Sharma ", "date": "Sun, 15 Feb 2026 14:56:21 +0100" }, { "cves": [ { "cve": "CVE-2025-11187", "url": "https://ubuntu.com/security/CVE-2025-11187", "cve_description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15468", "url": "https://ubuntu.com/security/CVE-2025-15468", "cve_description": "Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15469", "url": "https://ubuntu.com/security/CVE-2025-15469", "cve_description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-66199", "url": "https://ubuntu.com/security/CVE-2025-66199", "cve_description": "Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "log": [ "", " * Import 3.5.5", " - CVE-2025-11187 (Improper validation of PBMAC1 parameters in PKCS#12 MAC", " verification)", " - CVE-2025-15467 (Stack buffer overflow in CMS AuthEnvelopedData parsing)", " - CVE-2025-15468 (NULL dereference in SSL_CIPHER_find() function on unknown", " cipher ID)", " - CVE-2025-15469 (\"openssl dgst\" one-shot codepath silently truncates inputs", " >16MB)", " - CVE-2025-66199 (TLS 1.3 CompressedCertificate excessive memory allocation)", " - CVE-2025-68160 (Heap out-of-bounds write in BIO_f_linebuffer on short", " writes)", " - CVE-2025-69418 (Unauthenticated/unencrypted trailing bytes with low-level", " OCB function calls)", " - CVE-2025-69419 (Out of bounds write in PKCS12_get_friendlyname() UTF-8", " conversion)", " - CVE-2025-69420 (Missing ASN1_TYPE validation in TS_RESP_verify_response()", " function)", " - CVE-2025-69421 (NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex", " function)", " - CVE-2026-22795 (Missing ASN1_TYPE validation in PKCS#12 parsing)", " - CVE-2026-22796 (ASN1_TYPE Type Confusion in the", " - PKCS7_digest_from_attributes() function)", "" ], "package": "openssl", "version": "3.5.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sebastian Andrzej Siewior ", "date": "Tue, 27 Jan 2026 21:09:55 +0100" }, { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)", " - d/p/regex_match_ecp_nistp521-ppc64.patch", " * Drop patches, merged upstream", " - d/p/CVE-2025-9230.patch", " - d/p/CVE-2025-9231-1.patch", " - d/p/CVE-2025-9231-2.patch", " - d/p/CVE-2025-9232.patch ", " * Merge with Debian unstable (LP: #2133492). Remaining changes:", " - Use perl:native in the autopkgtest for installability on i386.", " - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl", " - Disable LTO with which the codebase is generally incompatible (LP #2058017)", " - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins", " - Don't enable or package anything FIPS (LP #2087955)", " - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)", " - fips patches (debian/patches/fips):", " - crypto: Add kernel FIPS mode detection", " - crypto: Automatically use the FIPS provider...", " - apps/speed: Omit unavailable algorithms in FIPS mode", " - apps: pass -propquery arg to the libctx DRBG fetches", " - test: Ensure encoding runs with the correct context...", " - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)", " + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH", " + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE", "" ], "package": "openssl", "version": "3.5.4-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137464, 2133492 ], "author": "Ravi Kant Sharma ", "date": "Thu, 08 Jan 2026 15:53:39 +0100" }, { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * Import 3.5.4", " - CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)", " - CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)", " - CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)", "" ], "package": "openssl", "version": "3.5.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sebastian Andrzej Siewior ", "date": "Tue, 30 Sep 2025 21:54:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl-provider-legacy", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.3-1ubuntu2", "version": "3.5.3-1ubuntu2" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu1", "version": "3.5.5-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-11187", "url": "https://ubuntu.com/security/CVE-2025-11187", "cve_description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15468", "url": "https://ubuntu.com/security/CVE-2025-15468", "cve_description": "Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15469", "url": "https://ubuntu.com/security/CVE-2025-15469", "cve_description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-66199", "url": "https://ubuntu.com/security/CVE-2025-66199", "cve_description": "Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2141941, 2141708, 2137464, 2133492 ], "changes": [ { "cves": [], "log": [ "", " [ Eric Berry ]", " * Enable CPU jitter fluctuations", " * Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS", " provider (LP: #2141941)", "", " [ Ravi Kant Sharma ]", " * Merge with Debian unstable (LP: #2141708). Remaining changes:", " - d/p/regex_match_ecp_nistp521-ppc64.patch", " - Use perl:native in the autopkgtest for installability on i386.", " - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl", " - Disable LTO with which the codebase is generally incompatible", " (LP #2058017)", " - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins", " - Don't enable or package anything FIPS (LP #2087955)", " - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)", " - Enable CPU jitter fluctuations", " - fips patches (debian/patches/fips):", " - crypto: Add kernel FIPS mode detection", " - crypto: Automatically use the FIPS provider...", " - apps/speed: Omit unavailable algorithms in FIPS mode", " - apps: pass -propquery arg to the libctx DRBG fetches", " - test: Ensure encoding runs with the correct context...", " - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)", " + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH", " + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE", " - Detect FIPS jitterentropy mode and load jitterentropy enabled FIPS", " provider", " * Refreshed patches", " - fips/test-Ensure-encoding-runs-with-the-correct-context-during.patch", " - fips/two-defines-for-fips-in-libssl-dev-headers.patch", " - fips/crypto-Automatically-use-the-FIPS-provider-when-the-kerne.patch", "" ], "package": "openssl", "version": "3.5.5-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141941, 2141708 ], "author": "Ravi Kant Sharma ", "date": "Sun, 15 Feb 2026 14:56:21 +0100" }, { "cves": [ { "cve": "CVE-2025-11187", "url": "https://ubuntu.com/security/CVE-2025-11187", "cve_description": "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15468", "url": "https://ubuntu.com/security/CVE-2025-15468", "cve_description": "Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-15469", "url": "https://ubuntu.com/security/CVE-2025-15469", "cve_description": "Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-66199", "url": "https://ubuntu.com/security/CVE-2025-66199", "cve_description": "Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "log": [ "", " * Import 3.5.5", " - CVE-2025-11187 (Improper validation of PBMAC1 parameters in PKCS#12 MAC", " verification)", " - CVE-2025-15467 (Stack buffer overflow in CMS AuthEnvelopedData parsing)", " - CVE-2025-15468 (NULL dereference in SSL_CIPHER_find() function on unknown", " cipher ID)", " - CVE-2025-15469 (\"openssl dgst\" one-shot codepath silently truncates inputs", " >16MB)", " - CVE-2025-66199 (TLS 1.3 CompressedCertificate excessive memory allocation)", " - CVE-2025-68160 (Heap out-of-bounds write in BIO_f_linebuffer on short", " writes)", " - CVE-2025-69418 (Unauthenticated/unencrypted trailing bytes with low-level", " OCB function calls)", " - CVE-2025-69419 (Out of bounds write in PKCS12_get_friendlyname() UTF-8", " conversion)", " - CVE-2025-69420 (Missing ASN1_TYPE validation in TS_RESP_verify_response()", " function)", " - CVE-2025-69421 (NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex", " function)", " - CVE-2026-22795 (Missing ASN1_TYPE validation in PKCS#12 parsing)", " - CVE-2026-22796 (ASN1_TYPE Type Confusion in the", " - PKCS7_digest_from_attributes() function)", "" ], "package": "openssl", "version": "3.5.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sebastian Andrzej Siewior ", "date": "Tue, 27 Jan 2026 21:09:55 +0100" }, { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * Match last filename for output in ecp_nistp521-ppc64.pl (LP: #2137464)", " - d/p/regex_match_ecp_nistp521-ppc64.patch", " * Drop patches, merged upstream", " - d/p/CVE-2025-9230.patch", " - d/p/CVE-2025-9231-1.patch", " - d/p/CVE-2025-9231-2.patch", " - d/p/CVE-2025-9232.patch ", " * Merge with Debian unstable (LP: #2133492). Remaining changes:", " - Use perl:native in the autopkgtest for installability on i386.", " - Symlink copyright/changelog.Debian.gz in libssl3* to libssl-dev/openssl", " - Disable LTO with which the codebase is generally incompatible (LP #2058017)", " - Default config reads crypto-config and /etc/ssl/openssl.cnf.d dropins", " - Don't enable or package anything FIPS (LP #2087955)", " - Match last filename for output in ecp_nistp521-ppc64.pl (LP #2137464)", " - fips patches (debian/patches/fips):", " - crypto: Add kernel FIPS mode detection", " - crypto: Automatically use the FIPS provider...", " - apps/speed: Omit unavailable algorithms in FIPS mode", " - apps: pass -propquery arg to the libctx DRBG fetches", " - test: Ensure encoding runs with the correct context...", " - Add Ubuntu-specific defines to help FIPS certification (LP #2073991)", " + UBUNTU_OSSL_SELF_TEST_DESC_PCT_DH", " + UBUNTU_OSSL_PROV_FIPS_PARAM_UNAPPROVED_USAGE", "" ], "package": "openssl", "version": "3.5.4-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137464, 2133492 ], "author": "Ravi Kant Sharma ", "date": "Thu, 08 Jan 2026 15:53:39 +0100" }, { "cves": [ { "cve": "CVE-2025-9230", "url": "https://ubuntu.com/security/CVE-2025-9230", "cve_description": "Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code. Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9231", "url": "https://ubuntu.com/security/CVE-2025-9231", "cve_description": "Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker.. While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack. OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.", "cve_priority": "medium", "cve_public_date": "2025-09-30 14:15:00 UTC" }, { "cve": "CVE-2025-9232", "url": "https://ubuntu.com/security/CVE-2025-9232", "cve_description": "Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address. Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application. The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker. In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity. The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0. The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2025-09-30 14:15:00 UTC" } ], "log": [ "", " * Import 3.5.4", " - CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)", " - CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)", " - CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)", "" ], "package": "openssl", "version": "3.5.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sebastian Andrzej Siewior ", "date": "Tue, 30 Sep 2025 21:54:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "overlayroot", "from_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.52", "version": "0.52" }, "to_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.55", "version": "0.55" }, "cves": [], "launchpad_bugs_fixed": [ 2125790, 2142564 ], "changes": [ { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * copymods: enable by default when using dracut", "" ], "package": "cloud-initramfs-tools", "version": "0.55", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paride Legovini ", "date": "Thu, 05 Mar 2026 18:59:57 +0100" }, { "cves": [], "log": [ "", " * autopkgtest: explicitly pull in dracut for rooturl test", " * dyn-netconf: support dracut by pulling in systemd-networkd (LP: #2125790)", " * Drop redundant priority optional", " * Bump Standards-Version to 4.7.3", " * Override executable-in-usr-lib lintian warning for Dracut modules dir", "" ], "package": "cloud-initramfs-tools", "version": "0.54", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125790 ], "author": "Benjamin Drung ", "date": "Fri, 27 Feb 2026 10:31:34 +0100" }, { "cves": [], "log": [ "", " [ Benjamin Drung ]", " * rooturl: use systemd-import on Dracut to support tarballs (LP: #2142564)", "" ], "package": "cloud-initramfs-tools", "version": "0.53", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142564 ], "author": "Paride Legovini ", "date": "Tue, 24 Feb 2026 12:30:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-6build1", "version": "5.40.1-6build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Reupload to resolute", "" ], "package": "perl", "version": "5.40.1-7build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Sebastien Bacher ", "date": "Tue, 17 Mar 2026 11:45:39 +0100" }, { "cves": [], "log": [ "", " [ Helmut Grohne ]", " * Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)", "" ], "package": "perl", "version": "5.40.1-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sun, 16 Nov 2025 22:01:11 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-6build1", "version": "5.40.1-6build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Reupload to resolute", "" ], "package": "perl", "version": "5.40.1-7build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Sebastien Bacher ", "date": "Tue, 17 Mar 2026 11:45:39 +0100" }, { "cves": [], "log": [ "", " [ Helmut Grohne ]", " * Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)", "" ], "package": "perl", "version": "5.40.1-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sun, 16 Nov 2025 22:01:11 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-modules-5.40", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-6build1", "version": "5.40.1-6build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Reupload to resolute", "" ], "package": "perl", "version": "5.40.1-7build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Sebastien Bacher ", "date": "Tue, 17 Mar 2026 11:45:39 +0100" }, { "cves": [], "log": [ "", " [ Helmut Grohne ]", " * Add libcrypt-dev to libperl-dev's Depends. (Closes: #1102978)", "" ], "package": "perl", "version": "5.40.1-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sun, 16 Nov 2025 22:01:11 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "plymouth", "from_version": { "source_package_name": "plymouth", "source_package_version": "24.004.60+git20250831.4a3c171d-0ubuntu6", "version": "24.004.60+git20250831.4a3c171d-0ubuntu6" }, "to_version": { "source_package_name": "plymouth", "source_package_version": "24.004.60+git20250831.4a3c171d-0ubuntu8", "version": "24.004.60+git20250831.4a3c171d-0ubuntu8" }, "cves": [], "launchpad_bugs_fixed": [ 2116296 ], "changes": [ { "cves": [], "log": [ "", " * d/local/spinner:", " - Update spinner to use Resolute loader", " - Increase number of animation stills to 60", "" ], "package": "plymouth", "version": "24.004.60+git20250831.4a3c171d-0ubuntu8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Simon Johnsson ", "date": "Thu, 12 Mar 2026 15:27:04 +0100" }, { "cves": [], "log": [ "", " * debian/patches/force-scale-guessing.patch:", " - Always \"guess\" the device scale (LP: #2116296)", "" ], "package": "plymouth", "version": "24.004.60+git20250831.4a3c171d-0ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2116296 ], "author": "Daniel van Vugt ", "date": "Fri, 06 Mar 2026 11:35:01 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "plymouth-theme-ubuntu-text", "from_version": { "source_package_name": "plymouth", "source_package_version": "24.004.60+git20250831.4a3c171d-0ubuntu6", "version": "24.004.60+git20250831.4a3c171d-0ubuntu6" }, "to_version": { "source_package_name": "plymouth", "source_package_version": "24.004.60+git20250831.4a3c171d-0ubuntu8", "version": "24.004.60+git20250831.4a3c171d-0ubuntu8" }, "cves": [], "launchpad_bugs_fixed": [ 2116296 ], "changes": [ { "cves": [], "log": [ "", " * d/local/spinner:", " - Update spinner to use Resolute loader", " - Increase number of animation stills to 60", "" ], "package": "plymouth", "version": "24.004.60+git20250831.4a3c171d-0ubuntu8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Simon Johnsson ", "date": "Thu, 12 Mar 2026 15:27:04 +0100" }, { "cves": [], "log": [ "", " * debian/patches/force-scale-guessing.patch:", " - Always \"guess\" the device scale (LP: #2116296)", "" ], "package": "plymouth", "version": "24.004.60+git20250831.4a3c171d-0ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2116296 ], "author": "Daniel van Vugt ", "date": "Fri, 06 Mar 2026 11:35:01 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python-apt-common", "from_version": { "source_package_name": "python-apt", "source_package_version": "3.1.0", "version": "3.1.0" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "3.1.0build1", "version": "3.1.0build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "python-apt", "version": "3.1.0build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:05:39 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3", "from_version": { "source_package_name": "python3-defaults", "source_package_version": "3.13.9-3", "version": "3.13.9-3" }, "to_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu1", "version": "3.14.3-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove Python 3.13 as a supported version", " * Bump version to 3.14.3", "" ], "package": "python3-defaults", "version": "3.14.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Fri, 13 Mar 2026 21:32:47 +0000" }, { "cves": [], "log": [ "", " * Upload to experimental.", " * Make Python 3.14 the default version.", "" ], "package": "python3-defaults", "version": "3.14.2-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 11 Jan 2026 07:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu3", "version": "2.33.1-0ubuntu3" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "cves": [], "launchpad_bugs_fixed": [ 2143758, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Enable Launchpad crash reports for resolute", " * parse_segv.py: ignore registers with unavailable values (like pl3_ssp)", "" ], "package": "apport", "version": "2.33.1-0ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 26 Mar 2026 17:32:38 +0100" }, { "cves": [], "log": [ "", " * Update apport-kde to Qt6 (LP: 2145946)", "" ], "package": "apport", "version": "2.33.1-0ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Erich Eickmeyer ", "date": "Mon, 23 Mar 2026 20:29:09 -0700" }, { "cves": [], "log": [ "", " * Fix FTBFS due Python 3.14 (LP: #2143758)", "" ], "package": "apport", "version": "2.33.1-0ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143758 ], "author": "Carlos Nihelton ", "date": "Mon, 09 Mar 2026 17:01:15 -0300" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "apport", "version": "2.33.1-0ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:16:39 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apt", "from_version": { "source_package_name": "python-apt", "source_package_version": "3.1.0", "version": "3.1.0" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "3.1.0build1", "version": "3.1.0build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "python-apt", "version": "3.1.0build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:05:39 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-bcrypt", "from_version": { "source_package_name": "python-bcrypt", "source_package_version": "5.0.0-3", "version": "5.0.0-3" }, "to_version": { "source_package_name": "python-bcrypt", "source_package_version": "5.0.0-3build1", "version": "5.0.0-3build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "python-bcrypt", "version": "5.0.0-3build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:04:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-bpfcc", "from_version": { "source_package_name": "bpfcc", "source_package_version": "0.35.0+ds-1ubuntu1", "version": "0.35.0+ds-1ubuntu1" }, "to_version": { "source_package_name": "bpfcc", "source_package_version": "0.35.0+ds-1ubuntu2", "version": "0.35.0+ds-1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to build with LLVM 21 on amd64v3.", "" ], "package": "bpfcc", "version": "0.35.0+ds-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 16 Mar 2026 12:30:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-cffi-backend:armhf", "from_version": { "source_package_name": "python-cffi", "source_package_version": "2.0.0-3", "version": "2.0.0-3" }, "to_version": { "source_package_name": "python-cffi", "source_package_version": "2.0.0-3build1", "version": "2.0.0-3build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "python-cffi", "version": "2.0.0-3build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:05:52 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-cryptography", "from_version": { "source_package_name": "python-cryptography", "source_package_version": "43.0.0-1ubuntu1", "version": "43.0.0-1ubuntu1" }, "to_version": { "source_package_name": "python-cryptography", "source_package_version": "46.0.5-1ubuntu1", "version": "46.0.5-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-26007", "url": "https://ubuntu.com/security/CVE-2026-26007", "cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.", "cve_priority": "medium", "cve_public_date": "2026-02-10 22:17:00 UTC" } ], "launchpad_bugs_fixed": [ 2144298, 2138182 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2144298): Remaining changes:", " - Vendor rust for Ubuntu main", " - Add a recipe in d/rules to generate the vendor tarball", " - Add vendored crates", " - Adjust dependencies version for vendored build", " - Add debian/README.source", "" ], "package": "python-cryptography", "version": "46.0.5-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144298 ], "author": "Ravi Kant Sharma ", "date": "Fri, 13 Mar 2026 13:11:00 +0100" }, { "cves": [ { "cve": "CVE-2026-26007", "url": "https://ubuntu.com/security/CVE-2026-26007", "cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.", "cve_priority": "medium", "cve_public_date": "2026-02-10 22:17:00 UTC" } ], "log": [ "", " * New upstream version.", " + Fix CVE-2026-26007.", " * Bump Standards-Version to 4.7.3.", "" ], "package": "python-cryptography", "version": "46.0.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Sat, 14 Feb 2026 18:51:07 +0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2138182): Remaining changes:", " - Vendor rust for Ubuntu main", " - Add a recipe in d/rules to generate the vendor tarball", " - Add vendored crates", " - Adjust dependencies version for vendored build", " - Add debian/README.source", "" ], "package": "python-cryptography", "version": "46.0.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138182 ], "author": "Ravi Kant Sharma ", "date": "Thu, 15 Jan 2026 14:54:11 +0100" }, { "cves": [], "log": [ "", " * Upload to unstable.", " * Update for pyo3 0.27 compatibility.", "" ], "package": "python-cryptography", "version": "46.0.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Fri, 21 Nov 2025 20:10:21 +0500" }, { "cves": [], "log": [ "", " * Upload to experimental.", " * New upstream version.", "" ], "package": "python-cryptography", "version": "46.0.1-1~exp1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Fri, 14 Nov 2025 00:22:58 +0500" }, { "cves": [], "log": [ "", " * New upstream version.", " * Re-enable tests that required rust-openssl that wasn't yet available.", "" ], "package": "python-cryptography", "version": "45.0.7-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Thu, 13 Nov 2025 13:46:52 +0500" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "python-cryptography", "version": "45.0.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Mon, 03 Nov 2025 02:18:52 +0500" }, { "cves": [], "log": [ "", " * Upload to experimental.", " * New upstream version.", " * Drop the Priority field.", "" ], "package": "python-cryptography", "version": "45.0.6-1~exp1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Wed, 29 Oct 2025 23:39:44 +0500" }, { "cves": [], "log": [ "", " * Team upload.", " * Accept pyo3 0.26.", "" ], "package": "python-cryptography", "version": "44.0.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Mon, 13 Oct 2025 11:36:34 +0100" }, { "cves": [], "log": [ "", " * New upstream version.", " * Build with rust-pyo3 0.25 (Closes: #1115569).", " * Drop the Priority field.", "" ], "package": "python-cryptography", "version": "44.0.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Fri, 19 Sep 2025 11:47:01 +0500" }, { "cves": [], "log": [ "", " [ Peter Michael Green ]", " * Fix overly strict build-dependency for cc crate (Closes: #1104046).", "", " [ Andrey Rakhmatullin ]", " * Bump Standards-Version to 4.7.2.", " * Remove Rules-Requires-Root.", " * Remove no longer needed Python 3 mentions from the package description.", "" ], "package": "python-cryptography", "version": "43.0.0-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Fri, 25 Apr 2025 11:17:42 +0500" }, { "cves": [], "log": [ "", " * Restore B-D: python3-setuptools (Closes: #1100262).", " * Update to librust-asn1-0.20-dev, add upstream patches for compatibility", " with it (Closes: #1101438).", " * Disable DH_VERBOSE.", "" ], "package": "python-cryptography", "version": "43.0.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Sat, 29 Mar 2025 01:20:16 +0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-dbus", "from_version": { "source_package_name": "dbus-python", "source_package_version": "1.4.0-1build1", "version": "1.4.0-1build1" }, "to_version": { "source_package_name": "dbus-python", "source_package_version": "1.4.0-1build2", "version": "1.4.0-1build2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "dbus-python", "version": "1.4.0-1build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:19:06 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-debconf", "from_version": { "source_package_name": "debconf", "source_package_version": "1.5.91", "version": "1.5.91" }, "to_version": { "source_package_name": "debconf", "source_package_version": "1.5.92", "version": "1.5.92" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Add BMP version of debian-logo.", "" ], "package": "debconf", "version": "1.5.92", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Mon, 16 Feb 2026 17:48:32 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distro-info", "from_version": { "source_package_name": "distro-info", "source_package_version": "1.14build1", "version": "1.14build1" }, "to_version": { "source_package_name": "distro-info", "source_package_version": "1.15", "version": "1.15" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * test: Fix testAlias when SOURCE_DATE_EPOCH is set to 2030 (Closes: #1127115)", " * Remove redundant Rules-Requires-Root", " * Remove redundant priority optional field", " * Bump Standards-Version to 4.7.3", "" ], "package": "distro-info", "version": "1.15", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 16 Feb 2026 23:18:29 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.8", "version": "1:26.04.8" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.9", "version": "1:26.04.9" }, "cves": [], "launchpad_bugs_fixed": [ 2141637 ], "changes": [ { "cves": [], "log": [ "", " * No change rebuild against `update-manager` (LP: #2141637)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141637 ], "author": "Florent 'Skia' Jacquet ", "date": "Wed, 25 Feb 2026 12:30:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-gdbm", "from_version": { "source_package_name": "python3-defaults", "source_package_version": "3.13.9-3", "version": "3.13.9-3" }, "to_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu1", "version": "3.14.3-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove Python 3.13 as a supported version", " * Bump version to 3.14.3", "" ], "package": "python3-defaults", "version": "3.14.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Fri, 13 Mar 2026 21:32:47 +0000" }, { "cves": [], "log": [ "", " * Upload to experimental.", " * Make Python 3.14 the default version.", "" ], "package": "python3-defaults", "version": "3.14.2-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 11 Jan 2026 07:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-gi", "from_version": { "source_package_name": "pygobject", "source_package_version": "3.54.5-7ubuntu1", "version": "3.54.5-7ubuntu1" }, "to_version": { "source_package_name": "pygobject", "source_package_version": "3.56.1-2", "version": "3.56.1-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload", " * Upload to unstable", "" ], "package": "pygobject", "version": "3.56.1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Sun, 15 Mar 2026 17:28:53 +0000" }, { "cves": [], "log": [ "", " * Team upload", " * New upstream release", " * d/patches: Drop all patches, applied upstream", " * Standards-Version: 4.7.3.", " Remove Priority field, no longer required", " * d/source/lintian-overrides: Ignore some references to distutils and pipes.", " These are only used conditionally, so we don't need deprecation warnings.", "" ], "package": "pygobject", "version": "3.56.1-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Simon McVittie ", "date": "Fri, 13 Mar 2026 16:53:32 +0000" }, { "cves": [], "log": [ "", " [ Alessandro Astone ]", " * d/p: Backport patch relaxing a threading assertion that affects tuned", "" ], "package": "pygobject", "version": "3.55.3-3", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Wed, 25 Feb 2026 01:04:01 +0100" }, { "cves": [], "log": [ "", " * d/p: Cherry-pick upstream patch to handle caller-allocated C-arrays", " * d/p: Properly parse array length on big-endian", "" ], "package": "pygobject", "version": "3.55.3-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Wed, 25 Feb 2026 00:27:22 +0100" }, { "cves": [], "log": [ "", " [ Alessandro Astone ]", " * New upstream release", "" ], "package": "pygobject", "version": "3.55.3-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Marco Trevisan (Treviño) ", "date": "Thu, 19 Feb 2026 10:55:00 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-jinja2", "from_version": { "source_package_name": "jinja2", "source_package_version": "3.1.6-1", "version": "3.1.6-1" }, "to_version": { "source_package_name": "jinja2", "source_package_version": "3.1.6-1build1", "version": "3.1.6-1build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "jinja2", "version": "3.1.6-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:28:35 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-markupsafe", "from_version": { "source_package_name": "markupsafe", "source_package_version": "3.0.3-1", "version": "3.0.3-1" }, "to_version": { "source_package_name": "markupsafe", "source_package_version": "3.0.3-1build1", "version": "3.0.3-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "markupsafe", "version": "3.0.3-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:05:08 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-minimal", "from_version": { "source_package_name": "python3-defaults", "source_package_version": "3.13.9-3", "version": "3.13.9-3" }, "to_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu1", "version": "3.14.3-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove Python 3.13 as a supported version", " * Bump version to 3.14.3", "" ], "package": "python3-defaults", "version": "3.14.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Fri, 13 Mar 2026 21:32:47 +0000" }, { "cves": [], "log": [ "", " * Upload to experimental.", " * Make Python 3.14 the default version.", "" ], "package": "python3-defaults", "version": "3.14.2-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 11 Jan 2026 07:26:55 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu1", "version": "1.2-1ubuntu1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2139598, 2138802 ], "changes": [ { "cves": [], "log": [ "", " * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch:", " execute udev rules before starting sriov apply service (LP: #2139598)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139598 ], "author": "Robert Malz ", "date": "Tue, 03 Mar 2026 12:44:43 +0100" }, { "cves": [], "log": [ "", " * d/p/lp-2138802-BlockingIOError-py314.patch: fix \"netplan try\" with python", " 3.14 by handling BlockingIOError in addition to TypeError (LP: #2138802)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138802 ], "author": "Andreas Hasenack ", "date": "Fri, 20 Feb 2026 11:25:14 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-openssl", "from_version": { "source_package_name": "pyopenssl", "source_package_version": "25.1.0-1", "version": "25.1.0-1" }, "to_version": { "source_package_name": "pyopenssl", "source_package_version": "25.3.0-1ubuntu1", "version": "25.3.0-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-27448", "url": "https://ubuntu.com/security/CVE-2026-27448", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.", "cve_priority": "low", "cve_public_date": "2026-03-18 00:16:00 UTC" }, { "cve": "CVE-2026-27459", "url": "https://ubuntu.com/security/CVE-2026-27459", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.", "cve_priority": "medium", "cve_public_date": "2026-03-18 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-27448", "url": "https://ubuntu.com/security/CVE-2026-27448", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying on this callback for any security-sensitive behavior, this could allow bypassing it. Starting in version 26.0.0, unhandled exceptions now result in rejecting the connection.", "cve_priority": "low", "cve_public_date": "2026-03-18 00:16:00 UTC" }, { "cve": "CVE-2026-27459", "url": "https://ubuntu.com/security/CVE-2026-27459", "cve_description": "pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Starting in version 26.0.0, cookie values that are too long are now rejected.", "cve_priority": "medium", "cve_public_date": "2026-03-18 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Unhandled exceptions in set_tlsext_servername_callback", " - debian/patches/CVE-2026-27448.patch: handle exceptions in callbacks", " in src/OpenSSL/SSL.py, tests/test_ssl.py.", " - CVE-2026-27448", " * SECURITY UPDATE: Buffer overflow via DTLS cookie callback", " - debian/patches/CVE-2026-27459.patch: fix buffer overflow in DTLS", " cookie generation callback in src/OpenSSL/SSL.py, tests/test_ssl.py.", " - CVE-2026-27459", "" ], "package": "pyopenssl", "version": "25.3.0-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 18 Mar 2026 13:22:16 -0400" }, { "cves": [], "log": [ "", " * Rebuild to clear amd64v3 from FTBFS report", "" ], "package": "pyopenssl", "version": "25.3.0-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Thu, 12 Feb 2026 08:41:05 -0500" }, { "cves": [], "log": [ "", " * New upstream version.", " * Migrate to pybuild-plugin-pyproject.", "" ], "package": "pyopenssl", "version": "25.3.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Fri, 14 Nov 2025 01:50:45 +0500" }, { "cves": [], "log": [ "", " * Fix the maximum supported version of python3-cryptography.", " * Drop the Priority field.", "" ], "package": "pyopenssl", "version": "25.1.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andrey Rakhmatullin ", "date": "Thu, 30 Oct 2025 17:18:11 +0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-packaging", "from_version": { "source_package_name": "python-packaging", "source_package_version": "25.0-2", "version": "25.0-2" }, "to_version": { "source_package_name": "python-packaging", "source_package_version": "26.0-1", "version": "26.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload.", " * New upstream release.", " * d/watch: Mangle pre-release versions.", "" ], "package": "python-packaging", "version": "26.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Wed, 11 Mar 2026 17:37:30 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-pkg-resources", "from_version": { "source_package_name": "setuptools", "source_package_version": "78.1.1-0.1", "version": "78.1.1-0.1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "78.1.1-0.1build1", "version": "78.1.1-0.1build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "setuptools", "version": "78.1.1-0.1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:41:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-problem-report", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu3", "version": "2.33.1-0ubuntu3" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "cves": [], "launchpad_bugs_fixed": [ 2143758, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Enable Launchpad crash reports for resolute", " * parse_segv.py: ignore registers with unavailable values (like pl3_ssp)", "" ], "package": "apport", "version": "2.33.1-0ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 26 Mar 2026 17:32:38 +0100" }, { "cves": [], "log": [ "", " * Update apport-kde to Qt6 (LP: 2145946)", "" ], "package": "apport", "version": "2.33.1-0ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Erich Eickmeyer ", "date": "Mon, 23 Mar 2026 20:29:09 -0700" }, { "cves": [], "log": [ "", " * Fix FTBFS due Python 3.14 (LP: #2143758)", "" ], "package": "apport", "version": "2.33.1-0ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143758 ], "author": "Carlos Nihelton ", "date": "Mon, 09 Mar 2026 17:01:15 -0300" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "apport", "version": "2.33.1-0ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:16:39 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-pyasn1", "from_version": { "source_package_name": "pyasn1", "source_package_version": "0.6.2-1", "version": "0.6.2-1" }, "to_version": { "source_package_name": "pyasn1", "source_package_version": "0.6.3-1", "version": "0.6.3-1" }, "cves": [ { "cve": "CVE-2026-30922", "url": "https://ubuntu.com/security/CVE-2026-30922", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with \"Indefinite Length\" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.", "cve_priority": "medium", "cve_public_date": "2026-03-18 04:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-30922", "url": "https://ubuntu.com/security/CVE-2026-30922", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with \"Indefinite Length\" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.", "cve_priority": "medium", "cve_public_date": "2026-03-18 04:17:00 UTC" } ], "log": [ "", " * New upstream version 0.6.3 (Closes: #1131371) with fix for", " CVE-2026-30922: Denial of Service attack caused by uncontrolled recursion", " * Add myself as Uploader", "", " [ Francesco Poli ]", " * update Homepage (Closes: #1126615)", "" ], "package": "pyasn1", "version": "0.6.3-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Alexandre Detiste ", "date": "Fri, 20 Mar 2026 17:52:40 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-pyparsing", "from_version": { "source_package_name": "pyparsing", "source_package_version": "3.1.3-1build1", "version": "3.1.3-1build1" }, "to_version": { "source_package_name": "pyparsing", "source_package_version": "3.3.2-2", "version": "3.3.2-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team Upload", " * Release to unstable (Closes: #1130246)", "" ], "package": "pyparsing", "version": "3.3.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Alexandre Detiste ", "date": "Wed, 11 Mar 2026 13:08:07 +0100" }, { "cves": [], "log": [ "", " * Team upload.", " * New upstream version 3.3.2", " * Rewrite d/watch in v5 format", " * Add build-dep on python3-myst-parser", " * Rewrite the example in the description as Python3", " * Drop \"Rules-Requires-Root: no\": it is the default now", " * Bump Standards-Version to 4.7.3, drop Priority: tag", " * Drop build-dep on python3-setuptools, this build with \"flit\"", " * Add debian/salsa-ci.yml", "" ], "package": "pyparsing", "version": "3.3.2-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Alexandre Detiste ", "date": "Thu, 26 Feb 2026 23:33:19 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-setuptools", "from_version": { "source_package_name": "setuptools", "source_package_version": "78.1.1-0.1", "version": "78.1.1-0.1" }, "to_version": { "source_package_name": "setuptools", "source_package_version": "78.1.1-0.1build1", "version": "78.1.1-0.1build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "setuptools", "version": "78.1.1-0.1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:41:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-systemd", "from_version": { "source_package_name": "python-systemd", "source_package_version": "235-1build8", "version": "235-1build8" }, "to_version": { "source_package_name": "python-systemd", "source_package_version": "235-1build9", "version": "235-1build9" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "python-systemd", "version": "235-1build9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:04:09 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-typeguard", "from_version": { "source_package_name": "python-typeguard", "source_package_version": "4.4.4-1build1", "version": "4.4.4-1build1" }, "to_version": { "source_package_name": "python-typeguard", "source_package_version": "4.4.4-2", "version": "4.4.4-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload.", "", " [ Helmut Grohne ]", " * Mark python3-typeguard Multi-Arch: foreign (closes: #1125025).", "", " [ Colin Watson ]", " * Drop \"Rules-Requires-Root: no\", default as of dpkg-dev 1.22.13.", "" ], "package": "python-typeguard", "version": "4.4.4-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Wed, 11 Feb 2026 12:23:46 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-update-manager", "from_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.2", "version": "1:26.04.2" }, "to_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.4", "version": "1:26.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2133012, 2141637, 2133012 ], "changes": [ { "cves": [], "log": [ "", " * Almost completely revert previous change that removed inhibitor of", " shutdown and sleep, but only inhibit sleep now, as a compromise between", " - LP: #2133012: \"Restart now\" has no effect in update-manager; and", " - LP: #2141637: Ubuntu-release-upgrader crashes without inhibit_sleep.", "" ], "package": "update-manager", "version": "1:26.04.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2133012, 2141637 ], "author": "Nathan Pratta Teodosio ", "date": "Thu, 12 Feb 2026 18:53:14 +0100" }, { "cves": [], "log": [ "", " * Do not inhibit shutdown or sleep. Apt already inhibits shutdown.", " The argument of whether a sleep operation is to be inhibited during package", " installation belongs likewise to Apt. (lp: #2133012).", "" ], "package": "update-manager", "version": "1:26.04.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2133012 ], "author": "Nathan Pratta Teodosio ", "date": "Tue, 10 Feb 2026 17:16:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.5.0-1ubuntu2", "version": "2.5.0-1ubuntu2" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.6.3-1ubuntu1", "version": "2.6.3-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" }, { "cve": "CVE-2026-21441", "url": "https://ubuntu.com/security/CVE-2026-21441", "cve_description": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" }, { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2144669 ], "changes": [ { "cves": [], "log": [ "", " * Drop python3-backports.zstd dependency (LP: #2144669)", "" ], "package": "python-urllib3", "version": "2.6.3-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144669 ], "author": "Kat Kuo ", "date": "Tue, 17 Mar 2026 12:04:52 -0400" }, { "cves": [ { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" } ], "log": [ "", " * Team upload.", " * New upstream release:", " - CVE-2025-66471: Fixed a security issue where streaming API could", " improperly handle highly compressed HTTP content (\"decompression", " bombs\") leading to excessive resource consumption even when a small", " amount of data was requested. Reading small chunks of compressed data", " is safer and much more efficient now (closes: #1122029).", " - Fixed HTTPResponse.read_chunked() to properly handle leftover data in", " the decoder's buffer when reading compressed chunked responses", " (closes: #1122743).", " * Bump Build-Depends/Suggests on python3-brotli to >= 1.2.0 to improve the", " fix for CVE-2025-66418.", "" ], "package": "python-urllib3", "version": "2.6.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Fri, 06 Feb 2026 00:37:49 +0000" }, { "cves": [ { "cve": "CVE-2026-21441", "url": "https://ubuntu.com/security/CVE-2026-21441", "cve_description": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" } ], "log": [ "", " * Team upload.", "", " [ Salvatore Bonaccorso ]", " * Fix security issue where decompression-bomb safeguards of the", " streaming API were bypassed when HTTP redirects were followed.", " (CVE-2026-21441) (Closes: #1125062)", "", " [ Santiago Vila ]", " * Drop debian/.gitignore, dpkg-buildpackage dislikes it.", " * d/control: Drop \"Rules-Requires-Root: no\" (default).", " * d/control: Drop \"Priority: optional\" (default).", " * d/control: Update standards-version.", "" ], "package": "python-urllib3", "version": "2.5.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Santiago Vila ", "date": "Sat, 10 Jan 2026 18:20:00 +0100" }, { "cves": [ { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" } ], "log": [ "", " * Non-maintainer upload.", " * Unbounded number of links in the decompression chain (CVE-2025-66418)", " (Closes: #1122030)", "" ], "package": "python-urllib3", "version": "2.5.0-1.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Salvatore Bonaccorso ", "date": "Sat, 03 Jan 2026 20:00:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-yaml", "from_version": { "source_package_name": "pyyaml", "source_package_version": "6.0.3-1", "version": "6.0.3-1" }, "to_version": { "source_package_name": "pyyaml", "source_package_version": "6.0.3-1build1", "version": "6.0.3-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "pyyaml", "version": "6.0.3-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:17:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-zope.interface", "from_version": { "source_package_name": "zope.interface", "source_package_version": "8.2-1", "version": "8.2-1" }, "to_version": { "source_package_name": "zope.interface", "source_package_version": "8.2-1build1", "version": "8.2-1build1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "zope.interface", "version": "8.2-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:18:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1ubuntu1", "version": "3.13.12-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865 ", "" ], "package": "python3.13", "version": "3.13.12-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:54:15 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1ubuntu1", "version": "3.13.12-1ubuntu1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865 ", "" ], "package": "python3.13", "version": "3.13.12-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:54:15 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.14-gdbm", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-1", "version": "3.14.3-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Update to the 3.14 branch 2026-03-21.", " * Drop build dependency on blt, gone since 3.13.", "" ], "package": "python3.14", "version": "3.14.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 12:37:05 +0100" }, { "cves": [], "log": [ "", " [ Stefano Rivera ]", " * Drop explicit Build-Depends on quilt, it's only used in manual rules", " targets. Closes: #1129933.", " * Use dh_usrlocal to create /usr/local/python3.14/dist-packages.", " Closes: #1127103.", "", " [ Matthias Klose ]", " * Update to the 3.14 branch 2026-03-11.", "" ], "package": "python3.14", "version": "3.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 11 Mar 2026 20:17:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "readline-common", "from_version": { "source_package_name": "readline", "source_package_version": "8.3-3", "version": "8.3-3" }, "to_version": { "source_package_name": "readline", "source_package_version": "8.3-4", "version": "8.3-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Apply upstream patches 002-0031.", " * Bump standards version.", "" ], "package": "readline", "version": "8.3-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 13 Feb 2026 11:25:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "rsyslog", "from_version": { "source_package_name": "rsyslog", "source_package_version": "8.2512.0-1ubuntu3", "version": "8.2512.0-1ubuntu3" }, "to_version": { "source_package_name": "rsyslog", "source_package_version": "8.2512.0-1ubuntu4", "version": "8.2512.0-1ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2138647, 2143157 ], "changes": [ { "cves": [], "log": [ "", " * Update rsyslog apparmor profile to cope with log sockets in", " chroot directories (LP: #2138647):", " - d/usr.sbin.rsyslogd: add attach_disconnected flag to profile", " - d/t/{control,haproxy-logging}: new test to confirm the fix", " * d/p/fix-curl-ftbfs.patch: fix FTBFS with newer curl headers (LP: #2143157)", "" ], "package": "rsyslog", "version": "8.2512.0-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138647, 2143157 ], "author": "Andreas Hasenack ", "date": "Tue, 10 Mar 2026 12:16:41 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "rust-coreutils", "from_version": { "source_package_name": "rust-coreutils", "source_package_version": "0.6.0-0ubuntu1", "version": "0.6.0-0ubuntu1" }, "to_version": { "source_package_name": "rust-coreutils", "source_package_version": "0.7.0-0ubuntu1", "version": "0.7.0-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2143711, 2115782, 2125263, 2142588, 2141441 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version 0.7.0 (LP: #2143711)", " * Fixes:", " - `man 1 test` is badly formated (LP: #2115782)", " - cp -r /dev/urandom copies content (LP: #2125263)", " - date: gnu date allows options after format (LP: #2142588)", " - autopkgtest failures in resolute due to readlink (LP: #2141441)", " * Refresh patches:", " - Tweak-release-build-profile.patch", " - dd-ensure-full-writes.patch", " - require-utilities-to-be-invoked-using-matching-path.patch", " - use-l10n-translations-in-makefile.patch", " - workspace-exclude.patch", " * Drop patches:", " - prevent-stty-termios2-on-ppc64el.patch: Fixed upstream.", " * Add patches:", " - use-u32-for-ppc64le.patch: Fix type assumption for ppc64 little-endian.", " This relates to the previous dropped patch about termios2, but upstream", " did not treat little- and big-endian ppc64 differently.", "" ], "package": "rust-coreutils", "version": "0.7.0-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143711, 2115782, 2125263, 2142588, 2141441 ], "author": "Simon Johnsson ", "date": "Mon, 09 Mar 2026 11:33:48 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "sg3-utils", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu2", "version": "1.48-3ubuntu2" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Recommend dracut as default initrd generator (LP: #2142775)", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Fri, 27 Feb 2026 18:12:12 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "sg3-utils-udev", "from_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu2", "version": "1.48-3ubuntu2" }, "to_version": { "source_package_name": "sg3-utils", "source_package_version": "1.48-3ubuntu3", "version": "1.48-3ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Recommend dracut as default initrd generator (LP: #2142775)", "" ], "package": "sg3-utils", "version": "1.48-3ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Fri, 27 Feb 2026 18:12:12 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.74+ubuntu26.04", "version": "2.74+ubuntu26.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.74.1+ubuntu26.04.3", "version": "2.74.1+ubuntu26.04.3" }, "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2138629, 2138629, 2141328, 2139611, 2139300, 2139099, 2141607, 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "changes": [ { "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: secboot fixes", " - Security: CVE-2026-3888", " - Packaging: fix deb package version number", " - Packaging: fix autopkgtest failure to install spread", "" ], "package": "snapd", "version": "2.74.1+ubuntu26.04.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138629 ], "author": "Ernest Lotter ", "date": "Thu, 24 Mar 2026 13:46:00 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2138629", " - FDE: measure DeployedMode and AuditMode variables if they appear", " as disabled in the event log to avoid a potential reseal-failure", " boot loop", " - LP: #2141328 FDE: reuse preinstall check context during install to", " account for user-ignored errors", " - LP: #2139611 FDE: fix db updates by allowing multiple payloads", " - LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising", " memory lock limit when required", " - LP: #2139099 snap-confine: bump the max element count of the BPF", " map used to store IDs of allowed/matched devices to 1000", " - LP: #2141607 Desktop: revert change that caused user daemons", " declaring the desktop plug to implicitly depend on graphical-", " session.target", " - Interfaces: Added pidfd_open and memfd_secret to seccomp template", " - Interfaces: camera | add locking permission for /dev/video", "" ], "package": "snapd", "version": "2.74.1+ubuntu26.04", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138629, 2141328, 2139611, 2139300, 2139099, 2141607 ], "author": "Ernest Lotter ", "date": "Thu, 12 Feb 2026 21:27:23 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2132084", " - FDE: do not save incomplete FDE state when resealing was skipped", " - FDE: warn of inconsistent primary or policy counter", " - Confdb: document confdb in snapctl help messages", " - Confdb: only confdb hooks wait if snaps are disabled", " - Confdb: relax confdb change conflict checks", " - Confdb: remove empty parent when removing last leaf", " - Confdb: support parsing field filters", " - Confdb: wrap confdb write values under \"values\" key", " - dm-verity for essential snaps: add new naming convention for", " verity files", " - dm-verity for essential snaps: add snap integrity discovery", " - dm-verity for essential snaps: fix verity salt calculation", " - Assertions: add hardware identity assertion", " - Assertions: add integrity stanza in snap resources revisions", " - Assertions: add request message assertion required for remote", " device management", " - Assertions: add response-message assertion for secure remote", " device management", " - Assertions: expose WithStackedBackstore in RODatabase", " - Packaging: cross-distro | install upstream NEWS file into relevant", " snapd package doc directory", " - Packaging: cross-distro | tweak how the blocks injecting", " $SNAP_MOUNT_DIR/bin are generated as required for openSUSE", " - Packaging: remove deprecated snap-gdb-shim and all references now", " that snap run --gdb is unsupported and replaced by --gdbserver", " - Preseed: call systemd-tmpfiles instead handle-writable-paths on", " uc26", " - Preseed: do not remove the /snap dir but rather all its contents", " during reset", " - snap-confine: attach name derived from security tag to BPF maps", " and programs", " - snap-confine: ensure permitted capabilities match expectation", " - snap-confine: fix cached snap-confine profile cleanup to report", " the correct error instead of masking backend setup failures", " - snap-confine: Improve validation of user controlled paths", " - snap-confine: tighten snap cgroup checks to ensure a snap cannot", " start another snap in the same cgroup, preventing incorrect", " device-filter installation", " - core-initrd: add 26.04 ubuntu-core-initramfs package", " - core-initrd: add missing order dependency for setting default", " system files", " - core-initrd: avoid scanning loop and mmc boot partitions as the", " boot disk won't be any of these", " - core-initrd: make cpio a Depends and remove from Build-Depends", " - core-initrd: start plymouth sooner and reload when gadget is", " available", " - Cross-distro: modify syscheck to account for differences in", " openSUSE 16.0+", " - Validation sets: use in-flight validation sets when calling", " 'snapctl install' from hook", " - Prompting: enable prompting for the camera interface", " - Prompting: remove polkit authentication when modifying/deleting", " prompting rules", " - LP: #2127189 Prompting: do not record notices for unchanged rules", " on snapd startup", " - AppArmor: add free and pidof to the template", " - AppArmor: adjust interfaces/profiles to cope with coreutils paths", " - Interfaces: add support for compatibility expressions", " - Interfaces: checkbox-support | complete overhaul", " - Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-", " driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-", " driver-libs", " - Interfaces: allow snaps on classic access to nvidia graphics", " libraries exported by *-driver-libs interfaces", " - Interfaces: fwupd | broaden access to /boot/efi/EFI", " - Interfaces: gsettings | set dconf-service as profile for", " ca.desrt.dconf.Writer", " - Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new", " interfaces", " - Interfaces: opengl | grant read/write permission to /run/nvidia-", " persistenced/socket", " - interfaces: ros-snapd-support | add access to /v2/changes/", " - Interfaces: system-observe | read access to btrfs/ext4/zfs", " filesystem information", " - Interfaces: system-trace | allow /sys/kernel/tracing/** rw", " - Interfaces: usb-gadget | add support for ffs mounts in attributes", " - Add autocompletion to run command", " - Introduce option for disallowing auto-connection of a specific", " interface", " - Only log errors for user service operations performed as a part of", " snap removal", " - Patch snap names in service requests for parallel installed snaps", " - Simplify traits for eMMC special partitions", " - Strip apparmor_parser from debug symbols shrinking snapd size by", " ~3MB", " - Fix InstallPathMany skipping refresh control", " - Fix waiting for GDB helper to stop before attaching gdbserver", " - Protect the per-snap tmp directory against being reaped by age", " - Prevent disabling base snaps to ensure dependent snaps can be", " removed", " - Modify API endpoint /v2/logs to reject n <= 0 (except for special", " case -1 meaning all)", " - Avoid potential deadlock when task is injected after the change", " was aborted", " - Avoid race between store download stream and cache cleanup", " executing in parallel when invoked by snap download task", " - LP: #1851490 Use \"current\" instead of revision number for icons", " - LP: #2121853 Add snapctl version command", " - LP: #2127214 Ensure no more than one partition on disk can match a", " gadget partition", " - LP: #2127244 snap-confine: update AppArmor profile to allow", " read/write to journal as workaround for snap-confine fd", " inheritance prevented by newer AppArmor", " - LP: #2127766 Add new tracing mechanism with independently running", " strace and shim synchronization", "" ], "package": "snapd", "version": "2.73+ubuntu26.04", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "author": "Ernest Lotter ", "date": "Fri, 21 Nov 2025 09:08:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "squashfs-tools", "from_version": { "source_package_name": "squashfs-tools", "source_package_version": "1:4.7.4-1", "version": "1:4.7.4-1" }, "to_version": { "source_package_name": "squashfs-tools", "source_package_version": "1:4.7.4-1ubuntu1", "version": "1:4.7.4-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2143762 ], "changes": [ { "cves": [], "log": [ "", " * Backport \"mksquashfs: don't create duplicate virtual -> real disk", " mappings\" which causes corrupt squashfs files to be built when building", " Ubuntu Studio (LP: #2143762)", "" ], "package": "squashfs-tools", "version": "1:4.7.4-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143762 ], "author": "Michael Hudson-Doyle ", "date": "Thu, 12 Mar 2026 17:36:38 +1300" } ], "notes": null, "is_version_downgrade": false }, { "name": "strace", "from_version": { "source_package_name": "strace", "source_package_version": "6.16+ds-2ubuntu2", "version": "6.16+ds-2ubuntu2" }, "to_version": { "source_package_name": "strace", "source_package_version": "6.19+ds-0ubuntu3", "version": "6.19+ds-0ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2144022, 2142281, 2142868, 2137458, 2142780, 2142855, 2142890, 2142281, 2142588, 2143059, 2142890, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0{1,2,3,4}-linux7.0rc3: fix ftbfs and tests (LP: #2144022)", "" ], "package": "strace", "version": "6.19+ds-0ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144022 ], "author": "Jonas Jelten ", "date": "Fri, 13 Mar 2026 15:33:35 +0100" }, { "cves": [], "log": [ "", " * d/p/color: add check for TERM environment (LP: #2142281)", "" ], "package": "strace", "version": "6.19+ds-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142281 ], "author": "Jonas Jelten ", "date": "Wed, 11 Mar 2026 17:00:15 +0100" }, { "cves": [], "log": [ "", " * New upstream version 6.19+ds", " (LP: #2142868, LP: #2137458, LP: #2142780, LP: #2142855, LP: #2142890)", " * d/p/color: add output colors (LP: #2142281)", " * d/p/lp2142588-fix-date-formatting: resolve ftbfs (LP: #2142588)", " * d/p/non-vdso-syscall-filtering: fix test failures due to missing vdso", " (LP: #2143059)", " * d/p/ioctl-fix-ftbfs-c23: resolve ftbfs (LP: #2142890)", " * d/p/0004-Erase-clock_gettime64-calls-on-armhf: drop (LP #2125424)", " [upstream in v6.19]", "" ], "package": "strace", "version": "6.19+ds-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142868, 2137458, 2142780, 2142855, 2142890, 2142281, 2142588, 2143059, 2142890 ], "author": "Jonas Jelten ", "date": "Tue, 03 Mar 2026 12:11:26 +0100" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "strace", "version": "6.16+ds-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 09 Feb 2026 23:49:06 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "sudo", "from_version": { "source_package_name": "sudo", "source_package_version": "1.9.17p2-1ubuntu2", "version": "1.9.17p2-1ubuntu2" }, "to_version": { "source_package_name": "sudo", "source_package_version": "1.9.17p2-1ubuntu3", "version": "1.9.17p2-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2143042 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY UPDATE: exec_mailer gid issue (LP: #2143042)", " - debian/patches/lp2143042.patch: set group as well as uid when running", " the mailer and make a setuid(), setgid() or setgroups() failure fatal", " in include/sudo_eventlog.h, lib/eventlog/eventlog.c,", " lib/eventlog/eventlog_conf.c, plugins/sudoers/logging.c,", " plugins/sudoers/policy.c.", " - No CVE number", "" ], "package": "sudo", "version": "1.9.17p2-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143042 ], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:02:48 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "sudo-rs", "from_version": { "source_package_name": "rust-sudo-rs", "source_package_version": "0.2.12-0ubuntu1", "version": "0.2.12-0ubuntu1" }, "to_version": { "source_package_name": "rust-sudo-rs", "source_package_version": "0.2.13-0ubuntu1", "version": "0.2.13-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2143916, 2143125, 2142449, 2145317 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (LP: #2143916)", " * Fixes:", " - Merge from upstream \"Add error messages on wildcards and accept a 'final'", " wildcard #1463\" (LP: #2143125)", " - sudo-rs does not show the entire version string on Ubuntu (LP: #2142449)", " * Drop patches:", " - enable-pwfeedback-by-default.patch: Upstream enabled pwfeedback by", " default in 0.2.13.", " - correct-backspace-for-multibyte-characters.patch: Upstream fixed", " backspace.", " * Refresh patches:", " - disable-broken-tests.patch", " * New patches:", " - fix-toggle-pwfeedback-tab.patch: Add a patch to fix toggling pwfeedback", " with the TAB key, thanks Marc Schoolderman.", " * Skip tests:", " - traverse_secure_open_negative", "" ], "package": "rust-sudo-rs", "version": "0.2.13-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143916, 2143125, 2142449 ], "author": "Simon Johnsson ", "date": "Wed, 11 Mar 2026 14:27:00 +0100" }, { "cves": [], "log": [ "", " * Disable cargo-auditable on i386", "" ], "package": "rust-sudo-rs", "version": "0.2.12-0ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Florent 'Skia' Jacquet ", "date": "Tue, 24 Mar 2026 11:58:04 +0100" }, { "cves": [], "log": [ "", " * Add cargo-auditable metadata (LP: #2145317)", "" ], "package": "rust-sudo-rs", "version": "0.2.12-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145317 ], "author": "Petrichor Park ", "date": "Fri, 20 Mar 2026 09:15:48 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-cryptsetup", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-hwe-hwdb", "from_version": { "source_package_name": "systemd-hwe", "source_package_version": "259.0.1", "version": "259.0.1" }, "to_version": { "source_package_name": "systemd-hwe", "source_package_version": "259.5.1ubuntu", "version": "259.5.1ubuntu" }, "cves": [], "launchpad_bugs_fixed": [ 2146571 ], "changes": [ { "cves": [], "log": [ "", " * hwdb.d/90-keyboard-ubuntu.hwdb: drop duplicate rules (LP: #2146571)", "" ], "package": "systemd-hwe", "version": "259.5.1ubuntu", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146571 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Mar 2026 11:19:11 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "tcpdump", "from_version": { "source_package_name": "tcpdump", "source_package_version": "4.99.5-2ubuntu3", "version": "4.99.5-2ubuntu3" }, "to_version": { "source_package_name": "tcpdump", "source_package_version": "4.99.6-1", "version": "4.99.6-1" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2132257, 2115467, 2024017, 1667016 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "tcpdump", "version": "4.99.5-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:47:05 +0100" }, { "cves": [], "log": [ "", " * Rebuild to include updated RISC-V base ISA RVA23", "" ], "package": "tcpdump", "version": "4.99.5-2ubuntu2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Heinrich Schuchardt ", "date": "Sat, 06 Sep 2025 15:35:37 +0000" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2115467). Remaining changes:", " - debian/usr.sbin.tcpdump: allow tcpdump printing to stdout/stderr", " when running from a container (LP #1667016)", "" ], "package": "tcpdump", "version": "4.99.5-2ubuntu1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2115467 ], "author": "Wesley Hershberger ", "date": "Thu, 26 Jun 2025 21:16:30 -0500" }, { "cves": [], "log": [ "", " * No change rebuild against libssl3t64.", "" ], "package": "tcpdump", "version": "4.99.4-3ubuntu4", "urgency": "high", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 08 Apr 2024 16:50:51 +0200" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "tcpdump", "version": "4.99.4-3ubuntu3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 17:18:58 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild against libssl3t64", "" ], "package": "tcpdump", "version": "4.99.4-3ubuntu2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Tue, 05 Mar 2024 01:24:11 +0000" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/usr.sbin.tcpdump: allow tcpdump printing to stdout/stderr", " when running from a container (LP #1667016)", " * Dropped:", " - d/usr.sbin.tcpdump: Allow pcapng files (LP #2024017)", " [In 4.99.4-3]", "" ], "package": "tcpdump", "version": "4.99.4-3ubuntu1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [], "author": "Andreas Hasenack ", "date": "Tue, 01 Aug 2023 11:49:37 -0300" }, { "cves": [], "log": [ "", " [ Chris Kuethe ]", " * d/usr.sbin.tcpdump: Allow pcapng files (LP: #2024017)", "" ], "package": "tcpdump", "version": "4.99.3-1ubuntu2", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2024017 ], "author": "Andreas Hasenack ", "date": "Fri, 14 Jul 2023 18:07:50 -0300" }, { "cves": [], "log": [ "", " * debian/usr.sbin.tcpdump: allow tcpdump printing to stdout/stderr when", " running from a container (LP: #1667016)", "" ], "package": "tcpdump", "version": "4.99.3-1ubuntu1", "urgency": "medium", "distributions": "lunar", "launchpad_bugs_fixed": [ 1667016 ], "author": "Georgia Garcia ", "date": "Fri, 10 Feb 2023 15:17:18 -0300" } ], "notes": null, "is_version_downgrade": true }, { "name": "trace-cmd", "from_version": { "source_package_name": "trace-cmd", "source_package_version": "3.3.3-1ubuntu1", "version": "3.3.3-1ubuntu1" }, "to_version": { "source_package_name": "trace-cmd", "source_package_version": "3.3.3-1ubuntu2", "version": "3.3.3-1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild with Python 3.14 as default", "" ], "package": "trace-cmd", "version": "3.3.3-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Thu, 22 Jan 2026 22:04:08 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "tzdata", "from_version": { "source_package_name": "tzdata", "source_package_version": "2025c-3ubuntu3", "version": "2025c-3ubuntu3" }, "to_version": { "source_package_name": "tzdata", "source_package_version": "2026a-1ubuntu1", "version": "2026a-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2143355 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2143355). Remaining changes:", " - Ship 2025b ICU timezone data which are utilized by PHP in tzdata-icu", " - Add autopkgtest test case for ICU timezone data", " - Point Vcs-Browser/Git to Launchpad", " - Declare breaking rust-coreutils before version 0.5.0", " * Update the ICU timezone data to 2026a", " * Add autopkgtest test case for ICU timezone data 2026a", "" ], "package": "tzdata", "version": "2026a-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143355 ], "author": "Benjamin Drung ", "date": "Thu, 05 Mar 2026 20:28:03 +0100" }, { "cves": [], "log": [ "", " * New upstream version 2026a:", " - No leap second on 2026-06-30", " - Moldova has used EU transition times since 2022", " * Add autopkgtest test case for 2026a release", " * Bump Standards-Version to 4.7.3 (no changes)", "" ], "package": "tzdata", "version": "2026a-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Tue, 03 Mar 2026 20:45:42 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-kernel-accessories", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.570", "version": "1.570" }, "cves": [], "launchpad_bugs_fixed": [ 2138618, 2132357, 2137712, 2143727, 2115912 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Switched from flash-kernel, flash-kernel-piboot to piboot-try in", " desktop-raspi [arm64 armhf], server-raspi [arm64 armhf] (LP: #2138618)", " * Removed wsl-pro-service from wsl-recommends for architectures not", " supported by Windows / WSL [armhf ppc64el riscv64 s390x] (LP: #2132357)", "" ], "package": "ubuntu-meta", "version": "1.570", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138618, 2132357 ], "author": "Dave Jones ", "date": "Tue, 24 Mar 2026 11:15:35 +0000" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added gst-audio-thumbnailer to desktop-recommends", " * Added gst-video-thumbnailer to desktop-recommends", " * Removed totem-video-thumbnailer from desktop-recommends", " (LP: #2137712, LP: #2143727)", "" ], "package": "ubuntu-meta", "version": "1.569", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137712, 2143727 ], "author": "Jeremy Bícha ", "date": "Thu, 12 Mar 2026 09:55:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added showtime to desktop-recommends (LP: #2115912)", " * Added totem-video-thumbnailer to desktop-recommends", " * Removed totem from desktop-recommends", " * Add amd64v3 to architecture list", "" ], "package": "ubuntu-meta", "version": "1.568", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2115912 ], "author": "Jeremy Bícha ", "date": "Tue, 10 Mar 2026 14:11:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added cloud-initramfs-dyn-netconf to server, server-raspi", " * Removed dracut | cloud-initramfs-dyn-netconf from server, server-", " raspi", " * Removed dracut-network | cloud-initramfs-dyn-netconf from server,", " server-raspi", " * Convert debian/copyright to machine-readable format", "" ], "package": "ubuntu-meta", "version": "1.567", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 12:06:49 +0100" }, { "cves": [], "log": [ "", " * update: also check for git being present", " * Refreshed dependencies", " * Added dracut | cloud-initramfs-dyn-netconf to server, server-raspi", " * Added dracut-network | cloud-initramfs-dyn-netconf to server,", " server-raspi", " * Removed cloud-initramfs-dyn-netconf from server, server-raspi", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * Bump Standards-Version to 4.7.3", "" ], "package": "ubuntu-meta", "version": "1.566", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 25 Feb 2026 11:47:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-minimal", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.570", "version": "1.570" }, "cves": [], "launchpad_bugs_fixed": [ 2138618, 2132357, 2137712, 2143727, 2115912 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Switched from flash-kernel, flash-kernel-piboot to piboot-try in", " desktop-raspi [arm64 armhf], server-raspi [arm64 armhf] (LP: #2138618)", " * Removed wsl-pro-service from wsl-recommends for architectures not", " supported by Windows / WSL [armhf ppc64el riscv64 s390x] (LP: #2132357)", "" ], "package": "ubuntu-meta", "version": "1.570", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138618, 2132357 ], "author": "Dave Jones ", "date": "Tue, 24 Mar 2026 11:15:35 +0000" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added gst-audio-thumbnailer to desktop-recommends", " * Added gst-video-thumbnailer to desktop-recommends", " * Removed totem-video-thumbnailer from desktop-recommends", " (LP: #2137712, LP: #2143727)", "" ], "package": "ubuntu-meta", "version": "1.569", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137712, 2143727 ], "author": "Jeremy Bícha ", "date": "Thu, 12 Mar 2026 09:55:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added showtime to desktop-recommends (LP: #2115912)", " * Added totem-video-thumbnailer to desktop-recommends", " * Removed totem from desktop-recommends", " * Add amd64v3 to architecture list", "" ], "package": "ubuntu-meta", "version": "1.568", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2115912 ], "author": "Jeremy Bícha ", "date": "Tue, 10 Mar 2026 14:11:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added cloud-initramfs-dyn-netconf to server, server-raspi", " * Removed dracut | cloud-initramfs-dyn-netconf from server, server-", " raspi", " * Removed dracut-network | cloud-initramfs-dyn-netconf from server,", " server-raspi", " * Convert debian/copyright to machine-readable format", "" ], "package": "ubuntu-meta", "version": "1.567", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 12:06:49 +0100" }, { "cves": [], "log": [ "", " * update: also check for git being present", " * Refreshed dependencies", " * Added dracut | cloud-initramfs-dyn-netconf to server, server-raspi", " * Added dracut-network | cloud-initramfs-dyn-netconf to server,", " server-raspi", " * Removed cloud-initramfs-dyn-netconf from server, server-raspi", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * Bump Standards-Version to 4.7.3", "" ], "package": "ubuntu-meta", "version": "1.566", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 25 Feb 2026 11:47:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.1ubuntu0", "version": "37.1ubuntu0" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.2ubuntu", "version": "37.2ubuntu" }, "cves": [], "launchpad_bugs_fixed": [ 2131292 ], "changes": [ { "cves": [], "log": [ "", " * d/apparmor/ubuntu_pro_esm_cache.jinja2: fix \"DENIED\" messages when", " devicetree exists (LP: #2131292)", "" ], "package": "ubuntu-advantage-tools", "version": "37.2ubuntu", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2131292 ], "author": "Renan Rodrigo ", "date": "Wed, 11 Mar 2026 10:27:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-pro-client-l10n", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.1ubuntu0", "version": "37.1ubuntu0" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.2ubuntu", "version": "37.2ubuntu" }, "cves": [], "launchpad_bugs_fixed": [ 2131292 ], "changes": [ { "cves": [], "log": [ "", " * d/apparmor/ubuntu_pro_esm_cache.jinja2: fix \"DENIED\" messages when", " devicetree exists (LP: #2131292)", "" ], "package": "ubuntu-advantage-tools", "version": "37.2ubuntu", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2131292 ], "author": "Renan Rodrigo ", "date": "Wed, 11 Mar 2026 10:27:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.8", "version": "1:26.04.8" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.9", "version": "1:26.04.9" }, "cves": [], "launchpad_bugs_fixed": [ 2141637 ], "changes": [ { "cves": [], "log": [ "", " * No change rebuild against `update-manager` (LP: #2141637)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2141637 ], "author": "Florent 'Skia' Jacquet ", "date": "Wed, 25 Feb 2026 12:30:25 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-server", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.570", "version": "1.570" }, "cves": [], "launchpad_bugs_fixed": [ 2138618, 2132357, 2137712, 2143727, 2115912 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Switched from flash-kernel, flash-kernel-piboot to piboot-try in", " desktop-raspi [arm64 armhf], server-raspi [arm64 armhf] (LP: #2138618)", " * Removed wsl-pro-service from wsl-recommends for architectures not", " supported by Windows / WSL [armhf ppc64el riscv64 s390x] (LP: #2132357)", "" ], "package": "ubuntu-meta", "version": "1.570", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138618, 2132357 ], "author": "Dave Jones ", "date": "Tue, 24 Mar 2026 11:15:35 +0000" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added gst-audio-thumbnailer to desktop-recommends", " * Added gst-video-thumbnailer to desktop-recommends", " * Removed totem-video-thumbnailer from desktop-recommends", " (LP: #2137712, LP: #2143727)", "" ], "package": "ubuntu-meta", "version": "1.569", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137712, 2143727 ], "author": "Jeremy Bícha ", "date": "Thu, 12 Mar 2026 09:55:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added showtime to desktop-recommends (LP: #2115912)", " * Added totem-video-thumbnailer to desktop-recommends", " * Removed totem from desktop-recommends", " * Add amd64v3 to architecture list", "" ], "package": "ubuntu-meta", "version": "1.568", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2115912 ], "author": "Jeremy Bícha ", "date": "Tue, 10 Mar 2026 14:11:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added cloud-initramfs-dyn-netconf to server, server-raspi", " * Removed dracut | cloud-initramfs-dyn-netconf from server, server-", " raspi", " * Removed dracut-network | cloud-initramfs-dyn-netconf from server,", " server-raspi", " * Convert debian/copyright to machine-readable format", "" ], "package": "ubuntu-meta", "version": "1.567", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 12:06:49 +0100" }, { "cves": [], "log": [ "", " * update: also check for git being present", " * Refreshed dependencies", " * Added dracut | cloud-initramfs-dyn-netconf to server, server-raspi", " * Added dracut-network | cloud-initramfs-dyn-netconf to server,", " server-raspi", " * Removed cloud-initramfs-dyn-netconf from server, server-raspi", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * Bump Standards-Version to 4.7.3", "" ], "package": "ubuntu-meta", "version": "1.566", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 25 Feb 2026 11:47:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-standard", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.570", "version": "1.570" }, "cves": [], "launchpad_bugs_fixed": [ 2138618, 2132357, 2137712, 2143727, 2115912 ], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Switched from flash-kernel, flash-kernel-piboot to piboot-try in", " desktop-raspi [arm64 armhf], server-raspi [arm64 armhf] (LP: #2138618)", " * Removed wsl-pro-service from wsl-recommends for architectures not", " supported by Windows / WSL [armhf ppc64el riscv64 s390x] (LP: #2132357)", "" ], "package": "ubuntu-meta", "version": "1.570", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2138618, 2132357 ], "author": "Dave Jones ", "date": "Tue, 24 Mar 2026 11:15:35 +0000" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added gst-audio-thumbnailer to desktop-recommends", " * Added gst-video-thumbnailer to desktop-recommends", " * Removed totem-video-thumbnailer from desktop-recommends", " (LP: #2137712, LP: #2143727)", "" ], "package": "ubuntu-meta", "version": "1.569", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2137712, 2143727 ], "author": "Jeremy Bícha ", "date": "Thu, 12 Mar 2026 09:55:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added showtime to desktop-recommends (LP: #2115912)", " * Added totem-video-thumbnailer to desktop-recommends", " * Removed totem from desktop-recommends", " * Add amd64v3 to architecture list", "" ], "package": "ubuntu-meta", "version": "1.568", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2115912 ], "author": "Jeremy Bícha ", "date": "Tue, 10 Mar 2026 14:11:16 -0400" }, { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added cloud-initramfs-dyn-netconf to server, server-raspi", " * Removed dracut | cloud-initramfs-dyn-netconf from server, server-", " raspi", " * Removed dracut-network | cloud-initramfs-dyn-netconf from server,", " server-raspi", " * Convert debian/copyright to machine-readable format", "" ], "package": "ubuntu-meta", "version": "1.567", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 02 Mar 2026 12:06:49 +0100" }, { "cves": [], "log": [ "", " * update: also check for git being present", " * Refreshed dependencies", " * Added dracut | cloud-initramfs-dyn-netconf to server, server-raspi", " * Added dracut-network | cloud-initramfs-dyn-netconf to server,", " server-raspi", " * Removed cloud-initramfs-dyn-netconf from server, server-raspi", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * Bump Standards-Version to 4.7.3", "" ], "package": "ubuntu-meta", "version": "1.566", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 25 Feb 2026 11:47:20 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ucf", "from_version": { "source_package_name": "ucf", "source_package_version": "3.0052", "version": "3.0052" }, "to_version": { "source_package_name": "ucf", "source_package_version": "3.0052ubuntu1", "version": "3.0052ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2142754, 2132257 ], "changes": [ { "cves": [], "log": [ "", " * Makefile: quote version string during replacement (LP: #2142754)", "" ], "package": "ucf", "version": "3.0052ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142754 ], "author": "Nick Rosbrook ", "date": "Thu, 26 Feb 2026 09:35:10 -0500" }, { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "ucf", "version": "3.0052build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:51:29 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "259-1ubuntu3", "version": "259-1ubuntu3" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144032, 2143010, 2142900, 2142428, 2077538, 2142306, 2139822 ], "changes": [ { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * New upstream stable version 259.5", " - Update upstream source from tag 'upstream/259.5'", " Update to upstream version '259.5'", " with Debian dir 1076161727931a7063674200c474ec7747a5177f", " - Bug fixes", "", " [ Oliver Reiche ]", " * Fix issue overwriting /tmp on dist-upgrade (LP: #2144032)", "" ], "package": "systemd", "version": "259.5-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144032 ], "author": "Nick Rosbrook ", "date": "Fri, 13 Mar 2026 12:27:31 -0400" }, { "cves": [], "log": [ "", " * New upstream stable version 259.3", " - Update upstream source from tag 'upstream/259.3'", " Update to upstream version '259.3'", " with Debian dir 4fea3198a053eb40e77ea3ad3c3be030151f3f46", " - Bug fixes", "" ], "package": "systemd", "version": "259.3-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Fri, 06 Mar 2026 09:05:25 -0500" }, { "cves": [], "log": [ "", " * Tag KFD and ACCEL devices for uaccess (LP: #2143010)", " * d/control: Add missing dh-dlopenlibdeps to b-d", "" ], "package": "systemd", "version": "259.2-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143010 ], "author": "Mario Limonciello ", "date": "Tue, 03 Mar 2026 12:06:36 -0600" }, { "cves": [], "log": [ "", " * New upstream stable version 259.2", " - Bug fixes", " - Update upstream source from tag 'upstream/259.2'", " Update to upstream version '259.2'", " with Debian dir c25e0517a7a4ebd6d9009de0cf949dd265182a67", " - Drop lp2142428-seccomp-util-add-lsm_get_self_attr-and-lsm_list_modules-t.patch.", " Applied upstream: https://github.com/systemd/systemd/commit/515816197e", " * test: use gnuenv to workaround broken --block-signal= (LP: #2142900)", "" ], "package": "systemd", "version": "259.2-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142900 ], "author": "Nick Rosbrook ", "date": "Fri, 27 Feb 2026 09:20:52 -0500" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default", " (LP: #2142428)", "", " [ Alessandro Astone ]", " * d/p/lp2077538: Grant GPU rendering access to GNOME Remote Desktop", " (LP: #2077538, LP: #2142306)", "" ], "package": "systemd", "version": "259.1-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142428, 2077538, 2142306 ], "author": "Nick Rosbrook ", "date": "Wed, 25 Feb 2026 10:32:56 -0500" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - debian/systemd.postinst:", " + manually call systemd-tmpfiles --create in postinst", " - debian/control:", " + Add Recommends: systemd-resolved to systemd package", " + Make systemd-cryptsetup Priority: important", " + Give systemd-resolved Priority: important", " + Add Recommends: systemd-hwe-hwdb to udev package", " + Drop Recommends: libnss-myhostname libnss-resolve from systemd-resolved", " + Do not build systemd-boot-efi-{amd64,arm64}-signed-template", " + d/control: demote systemd-userdbd to Suggests for libnss-systemd", " - d/rules: disable bpf support on riscv64 for now (LP #2099864)", " - d/extra/dbus-1: remove SetLocale restriction from dbus policy (LP #2102028)", " - Delta for i386:", " + debian/systemd.install: exclude files that are not built for i386", " + debian/systemd.manpages: do not ship un-built manpages on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with tpm libraries on i386", " + debian/rules,debian/control,debian/tests/control:", " Do not build with libqrencode on i386", " + debian/rules: Remove unneeded efi artifacts on i386 to avoid debugedit errors", " - debian/libnss-systemd.*:", " + debian/libnss-systemd.nss: install after 'compat' too (LP #2125403)", " + debian/libnss-systemd.preinst: force nsswitch.conf update", " Drop systemd instances in nsswitch.conf, and force postinst to", " re-generate the file (LP #2121017)", " + debian/linbnss-systemd.nss: Install systemd service after files.", " As suggested by upstream the systemd NSS service should come just after", " files", " - debian/tests:", " + d/t/boot-and-services: use coreutils tunable in apparmor test (LP #2125614)", " + d/t/upstream: skip TEST-08-INITRD on Ubuntu (LP #2136419)", " - debian/patches:", " + switch-root: use MS_MOVE for /run when switchig from initrd", " + test: skip TEST-50-DISSECT.dissect (LP #2116460)", " + test: skip TEST-13-NSPAWN.{nspawn,machined} (LP #2136413)", " * Dropped changes, included upstream:", " - lp2136497-test-use-journalctl-n-option-instead-of-piping-to-head.patch", " Applied upstream: https://github.com/systemd/systemd/commit/2c661e5f0d", " - lp2136408-test-cope-with-uutils-coreutils-flag-parsing-for-date-com.patch", " Applied upstream: https://github.com/systemd/systemd/commit/a45dad1aa5", " - test-disable-pipefail-again-in-monitor_check_rr.patch", " Applied upstream: https://github.com/systemd/systemd/commit/ce35956b3a", " - resolve-include-current-DNS-server-in-JSON-again.patch", " Applied upstream: https://github.com/systemd/systemd/commit/0de941f937", " - lp2133402-ukify-omit-.osrel-section-when-os-release-is-empty.patch", " Applied upstream: https://github.com/systemd/systemd/commit/798a27a5b4", " * Dropped changes, no longer needed:", " - d/t/upstream: use GNU cp in test setup (LP #2122363)", " Fixed in rust-coreutils 0.5.0", " - lp2136752-test-workaround-uutils-dd-broken-pipe.patch", " Fixed in rust-coreutils 0.6.0", " * New changes:", " - d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy", "" ], "package": "systemd", "version": "259.1-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Tue, 10 Feb 2026 14:05:53 -0500" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * Drop dependencies on libcap-dev, no longer used since v259", " * Mark sd-userdbd as Multi-Arch: foreign (Closes: #1123615)", " * Use dh_installsystemd more to manage units. Ensure more units are", " handled as they are added to various packages", " * Use dh_installsystemd to handle journald and networkd", " * Use deb-systemd-invoke to reexec instead of manual calls. Allows the", " tool to handle the complications and use varlink where available", " * Increase number of sections of sd-stub on amd64 too. The default limit", " breaks adding more than 28 sections, which can happen with a UKI with", " many optional profiles. Bump it on amd64 too, at the cost of an extra", " ~80KB in size on the stub.", " * Update upstream source from tag 'upstream/259.1' Update to upstream", " version '259.1' with Debian dir", " f7a9425f1024ef75b5020a216f6be3d0af9ac227", " * Restrict the tpm2-generator manpage to arches where it is built", " * Install ask-password polkit policy file", "", " [ Yu Watanabe ]", " * Drop use of deprecated options. These options are deprecated since", " v258.", "", " [ Nick Rosbrook ]", " * d/control: have systemd-boot depend on efibootmgr for amd64 and arm64", " only", " * d/tests: drop tests-in-lxd", " * d/control: make systemd-container Depends: libarchive13t64. This is", " needed for e.g. systemd-import-generator + rd.systemd.pull= to work", " properly. Dracut would like to be able to use that feature reliably", " when systemd-importd is available, so explicitly depend on libarchive.", " Currently, it is only a Suggests of libsystemd-shared via dlopen", " machinery. (LP: #2139822)", "" ], "package": "systemd", "version": "259.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2139822 ], "author": "Luca Boccassi ", "date": "Fri, 06 Feb 2026 18:37:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "udisks2", "from_version": { "source_package_name": "udisks2", "source_package_version": "2.10.91-1ubuntu1", "version": "2.10.91-1ubuntu1" }, "to_version": { "source_package_name": "udisks2", "source_package_version": "2.10.91-1ubuntu2", "version": "2.10.91-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26103", "url": "https://ubuntu.com/security/CVE-2026-26103", "cve_description": "A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" }, { "cve": "CVE-2026-26104", "url": "https://ubuntu.com/security/CVE-2026-26104", "cve_description": "A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-26103", "url": "https://ubuntu.com/security/CVE-2026-26103", "cve_description": "A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block devices. This can permanently invalidate encryption keys and render encrypted volumes inaccessible. Successful exploitation results in a denial-of-service condition through irreversible data loss.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" }, { "cve": "CVE-2026-26104", "url": "https://ubuntu.com/security/CVE-2026-26104", "cve_description": "A flaw was found in the udisks storage management daemon that allows unprivileged users to back up LUKS encryption headers without authorization. The issue occurs because a privileged D-Bus method responsible for exporting encryption metadata does not perform a policy check. As a result, sensitive cryptographic metadata can be read and written to attacker-controlled locations. This weakens the confidentiality guarantees of encrypted storage volumes.", "cve_priority": "medium", "cve_public_date": "2026-02-25 11:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Missing polkit permission checks", " - debian/patches/CVE-2026-26103.patch: Add missing polkit check for", " RestoreEncryptedHeader().", " - debian/patches/CVE-2026-26104.patch: Add missing polkit check for", " HeaderBackup()", " - CVE-2026-26103", " - CVE-2026-26104", "" ], "package": "udisks2", "version": "2.10.91-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 26 Feb 2026 13:05:58 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "unattended-upgrades", "from_version": { "source_package_name": "unattended-upgrades", "source_package_version": "2.12ubuntu5", "version": "2.12ubuntu5" }, "to_version": { "source_package_name": "unattended-upgrades", "source_package_version": "2.12ubuntu7", "version": "2.12ubuntu7" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * unattended-upgrade: cherry-pick upstream change to fix flake8 tests", "" ], "package": "unattended-upgrades", "version": "2.12ubuntu7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Sebastien Bacher ", "date": "Tue, 10 Feb 2026 11:15:32 +0100" }, { "cves": [], "log": [ "", " * Fixup GLib thread context", "" ], "package": "unattended-upgrades", "version": "2.12ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Tue, 10 Feb 2026 10:36:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "update-manager-core", "from_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.2", "version": "1:26.04.2" }, "to_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.4", "version": "1:26.04.4" }, "cves": [], "launchpad_bugs_fixed": [ 2133012, 2141637, 2133012 ], "changes": [ { "cves": [], "log": [ "", " * Almost completely revert previous change that removed inhibitor of", " shutdown and sleep, but only inhibit sleep now, as a compromise between", " - LP: #2133012: \"Restart now\" has no effect in update-manager; and", " - LP: #2141637: Ubuntu-release-upgrader crashes without inhibit_sleep.", "" ], "package": "update-manager", "version": "1:26.04.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2133012, 2141637 ], "author": "Nathan Pratta Teodosio ", "date": "Thu, 12 Feb 2026 18:53:14 +0100" }, { "cves": [], "log": [ "", " * Do not inhibit shutdown or sleep. Apt already inhibits shutdown.", " The argument of whether a sleep operation is to be inhibited during package", " installation belongs likewise to Apt. (lp: #2133012).", "" ], "package": "update-manager", "version": "1:26.04.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2133012 ], "author": "Nathan Pratta Teodosio ", "date": "Tue, 10 Feb 2026 17:16:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux-extra", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "uuid-runtime", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.3-3ubuntu2", "version": "2.41.3-3ubuntu2" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2142050 ], "changes": [ { "cves": [], "log": [ "", " * d/p/ubuntu/su-pty-drop-caps.patch: harden 'su --pty' to temporarily lower", " capabilities while proxying between stdin/stdout and the pty master. This", " is to avoid su from being used to exploit kernel vulnerabilities.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 13 Mar 2026 07:09:23 -0400" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2142050). Remaining changes:", " - Add sulogin-fallback-static-sh.patch", " Add support for /bin/static-sh as fallback if the regular shell fails to", " execute. Patch ported from sysvinit. (see LP #505887)", " - Add sulogin-lockedpwd.patch", " Make sure file systems can be fixed on machines with locked root", " accounts (as Ubuntu does by default). Don't require --force for sulogin.", " - d/rules: disable libmount mountfs support", " Disable brand new feature with --disable-libmount-mountfd-support that", " causes inability to deploy MAAS LP #2037417.", " * Dropped changes applied upstream:", " - SECURITY UPDATE: heap overread with 256-byte usernames", " + debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " + debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " + CVE-2025-14104", " * Dropped changes as they were no longer necessary:", " - d/p/ubuntu/lp-2030793-make-check-pidfd.patch", " This patch only effected kernel versions below 5.15 which are not", " available on resolute.", " - d/p/u/lp-2112552-tests-mark-mkfds-multiplexing-as-known-fail.patch", " The underlying bug was addressed in rust-coreutils.", "" ], "package": "util-linux", "version": "2.41.3-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142050 ], "author": "Ural Tunaboyu ", "date": "Sun, 15 Feb 2026 17:43:12 -0800" }, { "cves": [], "log": [ "", " * d/libsmartcols1.symbols: drop terminal crap", " * d/rules: make dpkg-gensymbols more strict", " * lintian: ignore groff-message tags", " * lintian: ignore groff-message tags in remaining packages", " * Add upstream patches", " * unshare: fix user namespace bind mounts", " * unshare: remove get_mnt_ino() check in bind_ns_files_from_child()", " * unshare: add --owner to set user namespace owner uid and gid", " * libfdisk: modernize ZFS GPT type description", "" ], "package": "util-linux", "version": "2.41.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 31 Dec 2025 13:06:28 +0100" }, { "cves": [], "log": [ "", " [ Luca Boccassi ]", " * util-linux: do not fail postinst/prerm if update-alternatives is missing", "" ], "package": "util-linux", "version": "2.41.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Wed, 17 Dec 2025 10:42:28 +0100" }, { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * Stop installing lastlog2-import.service", " * New upstream release, fixing CVE-2025-14104. (Closes: #1122058)", "" ], "package": "util-linux", "version": "2.41.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 16 Dec 2025 20:37:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.1882-1ubuntu2", "version": "2:9.1.1882-1ubuntu2" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu2", "version": "2:9.1.2141-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2142221, 2142681 ], "changes": [ { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " - debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " - CVE-2026-26269", " - CVE-2026-28420", " - CVE-2026-28422", " * SECURITY UPDATE: Command Injection", " - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " - debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " - CVE-2026-28417", " * SECURITY UPDATE: Out of Bounds Read", " - debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " - CVE-2026-28418", " * SECURITY UPDATE: Buffer Underflow", " - debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " - CVE-2026-28419", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " - CVE-2026-28421", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Tue, 10 Mar 2026 19:44:16 +1100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " * New changes:", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Ural Tunaboyu ", "date": "Wed, 25 Feb 2026 07:34:15 -0800" }, { "cves": [ { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "log": [ "", " * Merge upstream tag v9.1.2141", " + Security fixes", " - 9.1.2132: Fix buffer-overflow in 'helpfile' option handling,", " CVE-2026-25749", "" ], "package": "vim", "version": "2:9.1.2141-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Feb 2026 07:06:42 -0500" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.1.2103", " + syntax/debcontrol.vim:", " - Only highlight email addresses in Maintainer / Uploaders fields", " - Add support for highlighting build profiles and architecture", " restrictions (Closes: #1124089)", " * Disable flaky Test_client_server_stopinsert test", " * Remove Rules-Requires-Root, since no is the default value", " * Remove Priority field, since optional is the default value", " * Declare compliance with Policy 4.7.3", "" ], "package": "vim", "version": "2:9.1.2103-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Fri, 23 Jan 2026 06:27:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.1882-1ubuntu2", "version": "2:9.1.1882-1ubuntu2" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu2", "version": "2:9.1.2141-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2142221, 2142681 ], "changes": [ { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " - debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " - CVE-2026-26269", " - CVE-2026-28420", " - CVE-2026-28422", " * SECURITY UPDATE: Command Injection", " - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " - debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " - CVE-2026-28417", " * SECURITY UPDATE: Out of Bounds Read", " - debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " - CVE-2026-28418", " * SECURITY UPDATE: Buffer Underflow", " - debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " - CVE-2026-28419", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " - CVE-2026-28421", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Tue, 10 Mar 2026 19:44:16 +1100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " * New changes:", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Ural Tunaboyu ", "date": "Wed, 25 Feb 2026 07:34:15 -0800" }, { "cves": [ { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "log": [ "", " * Merge upstream tag v9.1.2141", " + Security fixes", " - 9.1.2132: Fix buffer-overflow in 'helpfile' option handling,", " CVE-2026-25749", "" ], "package": "vim", "version": "2:9.1.2141-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Feb 2026 07:06:42 -0500" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.1.2103", " + syntax/debcontrol.vim:", " - Only highlight email addresses in Maintainer / Uploaders fields", " - Add support for highlighting build profiles and architecture", " restrictions (Closes: #1124089)", " * Disable flaky Test_client_server_stopinsert test", " * Remove Rules-Requires-Root, since no is the default value", " * Remove Priority field, since optional is the default value", " * Declare compliance with Policy 4.7.3", "" ], "package": "vim", "version": "2:9.1.2103-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Fri, 23 Jan 2026 06:27:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.1882-1ubuntu2", "version": "2:9.1.1882-1ubuntu2" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu2", "version": "2:9.1.2141-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2142221, 2142681 ], "changes": [ { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " - debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " - CVE-2026-26269", " - CVE-2026-28420", " - CVE-2026-28422", " * SECURITY UPDATE: Command Injection", " - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " - debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " - CVE-2026-28417", " * SECURITY UPDATE: Out of Bounds Read", " - debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " - CVE-2026-28418", " * SECURITY UPDATE: Buffer Underflow", " - debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " - CVE-2026-28419", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " - CVE-2026-28421", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Tue, 10 Mar 2026 19:44:16 +1100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " * New changes:", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Ural Tunaboyu ", "date": "Wed, 25 Feb 2026 07:34:15 -0800" }, { "cves": [ { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "log": [ "", " * Merge upstream tag v9.1.2141", " + Security fixes", " - 9.1.2132: Fix buffer-overflow in 'helpfile' option handling,", " CVE-2026-25749", "" ], "package": "vim", "version": "2:9.1.2141-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Feb 2026 07:06:42 -0500" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.1.2103", " + syntax/debcontrol.vim:", " - Only highlight email addresses in Maintainer / Uploaders fields", " - Add support for highlighting build profiles and architecture", " restrictions (Closes: #1124089)", " * Disable flaky Test_client_server_stopinsert test", " * Remove Rules-Requires-Root, since no is the default value", " * Remove Priority field, since optional is the default value", " * Declare compliance with Policy 4.7.3", "" ], "package": "vim", "version": "2:9.1.2103-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Fri, 23 Jan 2026 06:27:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.1882-1ubuntu2", "version": "2:9.1.1882-1ubuntu2" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu2", "version": "2:9.1.2141-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2142221, 2142681 ], "changes": [ { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " - debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " - CVE-2026-26269", " - CVE-2026-28420", " - CVE-2026-28422", " * SECURITY UPDATE: Command Injection", " - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " - debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " - CVE-2026-28417", " * SECURITY UPDATE: Out of Bounds Read", " - debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " - CVE-2026-28418", " * SECURITY UPDATE: Buffer Underflow", " - debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " - CVE-2026-28419", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " - CVE-2026-28421", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Tue, 10 Mar 2026 19:44:16 +1100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " * New changes:", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Ural Tunaboyu ", "date": "Wed, 25 Feb 2026 07:34:15 -0800" }, { "cves": [ { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "log": [ "", " * Merge upstream tag v9.1.2141", " + Security fixes", " - 9.1.2132: Fix buffer-overflow in 'helpfile' option handling,", " CVE-2026-25749", "" ], "package": "vim", "version": "2:9.1.2141-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Feb 2026 07:06:42 -0500" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.1.2103", " + syntax/debcontrol.vim:", " - Only highlight email addresses in Maintainer / Uploaders fields", " - Add support for highlighting build profiles and architecture", " restrictions (Closes: #1124089)", " * Disable flaky Test_client_server_stopinsert test", " * Remove Rules-Requires-Root, since no is the default value", " * Remove Priority field, since optional is the default value", " * Declare compliance with Policy 4.7.3", "" ], "package": "vim", "version": "2:9.1.2103-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Fri, 23 Jan 2026 06:27:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "whiptail", "from_version": { "source_package_name": "newt", "source_package_version": "0.52.25-1ubuntu2", "version": "0.52.25-1ubuntu2" }, "to_version": { "source_package_name": "newt", "source_package_version": "0.52.25-1ubuntu3", "version": "0.52.25-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "newt", "version": "0.52.25-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:05:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "wireless-regdb", "from_version": { "source_package_name": "wireless-regdb", "source_package_version": "2025.10.07-0ubuntu1", "version": "2025.10.07-0ubuntu1" }, "to_version": { "source_package_name": "wireless-regdb", "source_package_version": "2026.02.04-0ubuntu1", "version": "2026.02.04-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2144719 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version 2026.02.04 (LP: #2144719)", "" ], "package": "wireless-regdb", "version": "2026.02.04-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144719 ], "author": "Noah Wager ", "date": "Wed, 18 Mar 2026 00:03:10 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "xkb-data", "from_version": { "source_package_name": "xkeyboard-config", "source_package_version": "2.42-1ubuntu2", "version": "2.42-1ubuntu2" }, "to_version": { "source_package_name": "xkeyboard-config", "source_package_version": "2.46-2", "version": "2.46-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Migrate /usr/lib/X11/xkb dir to symlink. (Closes: #1122650)", "" ], "package": "xkeyboard-config", "version": "2.46-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Thu, 18 Dec 2025 15:35:35 +0200" }, { "cves": [], "log": [ "", " [ Dylan Aïssi ]", " * Team upload.", " * debian/copyright: Convert to machine-readable format", "", " [ Timo Aaltonen ]", " * New upstream release.", " * rules: Drop obsolete xkb-base build-option.", " * watch: Updated to version 5.", " * source: Switch to format 3.0 (quilt).", "" ], "package": "xkeyboard-config", "version": "2.46-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Thu, 11 Dec 2025 16:47:05 +0200" }, { "cves": [], "log": [ "", " * New upstream release. (Closes: #1091993)", " * copyright: Fix a typo in the URL. (Closes: #1070293)", " * rules: Enable non-latin-layouts-list. (Closes: #1085452)", " - control: Add libxkbcommon-tools and python3-yaml to build-depends.", " * rules: Drop dh_clean override, unnecessary.", "" ], "package": "xkeyboard-config", "version": "2.44-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Mon, 28 Jul 2025 17:41:00 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.1882-1ubuntu2", "version": "2:9.1.1882-1ubuntu2" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu2", "version": "2:9.1.2141-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2142221, 2142681 ], "changes": [ { "cves": [ { "cve": "CVE-2026-26269", "url": "https://ubuntu.com/security/CVE-2026-26269", "cve_description": "Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.", "cve_priority": "low", "cve_public_date": "2026-02-13 20:17:00 UTC" }, { "cve": "CVE-2026-28420", "url": "https://ubuntu.com/security/CVE-2026-28420", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28422", "url": "https://ubuntu.com/security/CVE-2026-28422", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28417", "url": "https://ubuntu.com/security/CVE-2026-28417", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28418", "url": "https://ubuntu.com/security/CVE-2026-28418", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28419", "url": "https://ubuntu.com/security/CVE-2026-28419", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" }, { "cve": "CVE-2026-28421", "url": "https://ubuntu.com/security/CVE-2026-28421", "cve_description": "Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-02-27 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN", " bytes to prevent writing out of bounds.", " - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4", " for ga_grow() to ensure sufficient space. Add a boundary check to the", " character loop to prevent index out-of-bounds access.", " - debian/patches/CVE-2026-28422.patch: Update the size check to account", " for the byte length of the fill character (using MB_CHAR2LEN).", " - CVE-2026-26269", " - CVE-2026-28420", " - CVE-2026-28422", " * SECURITY UPDATE: Command Injection", " - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123", " hostname and IP validation. Use shellescape() for the provided", " hostname and port.", " - debian/patches/fix-test_plugin_netrw-tests.patch: Add missing", " function TestNetrwCaptureRemotePath", " - CVE-2026-28417", " * SECURITY UPDATE: Out of Bounds Read", " - debian/patches/CVE-2026-28418.patch: Check for end of buffer", " and return early.", " - CVE-2026-28418", " * SECURITY UPDATE: Buffer Underflow", " - debian/patches/CVE-2026-28419.patch: Add a check to ensure the", " delimiter (p_7f) is not at the start of the buffer (lbuf) before", " attempting to isolate the tag name.", " - CVE-2026-28419", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2026-28421.patch: Add bounds checks on", " pe_page_count and pe_bnum against mf_blocknr_max before descending", " into the block tree, and validate pe_old_lnum >= 1 and", " pe_line_count > 0 before calling readfile().", " - CVE-2026-28421", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Tue, 10 Mar 2026 19:44:16 +1100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2142221). Remaining changes:", " - d/p/0001-fix-flaky-terminal-mode-test.vim:", " Fix flaky Vim terminal mode test", " - d/p/0002-disable-failing-tests-on-ppc64.patch:", " Disable some tests that were failing during build on", " ppc64el. The tests are only disabled when building on ppc64el.", " - d/p/0003-skip-test-failing-on-s390x-only.patch:", " Skip tests failing on s390x", " - d/p/increase_timeout.diff: Increase timeout", " for the Test_pattern_compile_speed patch.", " - d/p/debian/ubuntu-grub-syntax.patch:", " Add Ubuntu-specific \"quiet\" keyword.", " - d/runtime/vimrc: \"syntax on\" is a sane default for non-tiny Vim.", " * New changes:", " - d/p/disable-test-term-gettty.patch: disable a test", " which was failing due to changes outside of vim (LP: #2142681)", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142221, 2142681 ], "author": "Ural Tunaboyu ", "date": "Wed, 25 Feb 2026 07:34:15 -0800" }, { "cves": [ { "cve": "CVE-2026-25749", "url": "https://ubuntu.com/security/CVE-2026-25749", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.", "cve_priority": "low", "cve_public_date": "2026-02-06 23:15:00 UTC" } ], "log": [ "", " * Merge upstream tag v9.1.2141", " + Security fixes", " - 9.1.2132: Fix buffer-overflow in 'helpfile' option handling,", " CVE-2026-25749", "" ], "package": "vim", "version": "2:9.1.2141-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Mon, 09 Feb 2026 07:06:42 -0500" }, { "cves": [], "log": [ "", " * Merge upstream patch v9.1.2103", " + syntax/debcontrol.vim:", " - Only highlight email addresses in Maintainer / Uploaders fields", " - Add support for highlighting build profiles and architecture", " restrictions (Closes: #1124089)", " * Disable flaky Test_client_server_stopinsert test", " * Remove Rules-Requires-Root, since no is the default value", " * Remove Priority field, since optional is the default value", " * Declare compliance with Policy 4.7.3", "" ], "package": "vim", "version": "2:9.1.2103-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "James McCoy ", "date": "Fri, 23 Jan 2026 06:27:15 -0500" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "binutils", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.46-3ubuntu2", "version": "2.46-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for glibc 2.46.", "" ], "package": "binutils", "version": "2.46-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 02:33:01 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", "" ], "package": "binutils", "version": "2.46-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:26:02 +0100" }, { "cves": [], "log": [ "", " * Fix PR demangler/106641, taken from the trunk.", " * Drop build dependency on quilt. Closes: #1129263.", " * Update libgprofng symbols file.", "" ], "package": "binutils", "version": "2.46-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:22:39 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "binutils-arm-linux-gnueabihf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.46-3ubuntu2", "version": "2.46-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for glibc 2.46.", "" ], "package": "binutils", "version": "2.46-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 02:33:01 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", "" ], "package": "binutils", "version": "2.46-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:26:02 +0100" }, { "cves": [], "log": [ "", " * Fix PR demangler/106641, taken from the trunk.", " * Drop build dependency on quilt. Closes: #1129263.", " * Update libgprofng symbols file.", "" ], "package": "binutils", "version": "2.46-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:22:39 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "binutils-common:armhf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.46-3ubuntu2", "version": "2.46-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for glibc 2.46.", "" ], "package": "binutils", "version": "2.46-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 02:33:01 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", "" ], "package": "binutils", "version": "2.46-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:26:02 +0100" }, { "cves": [], "log": [ "", " * Fix PR demangler/106641, taken from the trunk.", " * Drop build dependency on quilt. Closes: #1129263.", " * Update libgprofng symbols file.", "" ], "package": "binutils", "version": "2.46-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:22:39 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "bpftrace", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "bpftrace", "source_package_version": "0.25.0-1ubuntu1", "version": "0.25.0-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Enable the testsuite (LP #2052809)", " The testsuite is only enabled for autopkgtest, not at build time.", " This adds one build dependency: pahole, needed to build the tests.", " - Add symbol dumps for bpftrace and bpftrace-aotrt", " + d/helpers/dump_debug_symbols.sh: a shell script", " to be used in d/rules to dump the debug symbols of bpftrace", " and bpftrace-aotrt.", " + d/rules: uses the shell script created by the above patch to", " dump the debug symbols, which was not happening earlier due to", " exclusion from dh_strip and custom strip commands.", " (LP #2069953)", " - debian/patches/disable-armhf.patch:", " Comment out some tests failing to build on armhf", " - debian/patches/disable_failing_tests.patch", " debian/tests/control", " Disable some failing tests to have the whole testsuite passing.", " - d/control: Build-Depends: bpftool (LP #2139018)", "" ], "package": "bpftrace", "version": "0.25.0-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 17:32:29 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", " * d/patches: remove patches applied upstream.", " * d/rules: use system libbpf.", "" ], "package": "bpftrace", "version": "0.25.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Vincent Bernat ", "date": "Sun, 15 Mar 2026 00:19:50 +0100" }, { "cves": [], "log": [ "", " * d/helpers: make dump_debug_symbols.sh executable again", "" ], "package": "bpftrace", "version": "0.24.1-1.1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Thu, 26 Feb 2026 12:57:50 -0500" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "dracut", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "dracut", "source_package_version": "110-7", "version": "110-7" }, "cves": [], "launchpad_bugs_fixed": [ 2143264, 2143030 ], "changes": [ { "cves": [], "log": [ "", " * correct fix(base): move initrd.target.wants symlink creation to wait_for_dev", " (Closes: #1131416)", "" ], "package": "dracut", "version": "110-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 21 Mar 2026 21:55:34 +0100" }, { "cves": [], "log": [ "", " * Cherry-pick upstream commits:", " - fix(crypt): use -d instead of -f to check for $NEWROOT/proc directory", " - feat(overlayfs): support tmpfs size parameter in rd.overlay", " - fix(systemd-networkd): create /run/systemd/network if missing", " - test(SYSTEMD-INITRD): increase device timeout to infinity", " * fix(base): move initrd.target.wants symlink creation to wait_for_dev", " * fix(crypt): use systemd generator for setting the timeout (LP: #2143264)", " * fix(kernel-modules): install mmc drivers on all architectures (LP: #2143030)", " * autopkgtest:", " - double timeout to 20 min for arm64", " - skip slow 31-livenet and 45-systemd-import on riscv64", " - skip 50-network on riscv64 due to systemd-networkd-wait-online timeout", "" ], "package": "dracut", "version": "110-6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2143264, 2143030 ], "author": "Benjamin Drung ", "date": "Thu, 19 Mar 2026 23:19:30 +0100" }, { "cves": [], "log": [ "", " * fix(crypt): honor timeout setting when using UUID, LABEL, etc", " * autopkgtest:", " - increase timeout to 30 min for riscv64", " - skip time-consuming tests on riscv64", " * dracut-core: Declare breaking rust-coreutils before version 0.5.0", " * dracut-network: demote nbd-client, nfs-common, open-iscsi to suggests", "" ], "package": "dracut", "version": "110-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Fri, 13 Mar 2026 15:57:36 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "dracut-core", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "dracut", "source_package_version": "110-7", "version": "110-7" }, "cves": [], "launchpad_bugs_fixed": [ 2143264, 2143030 ], "changes": [ { "cves": [], "log": [ "", " * correct fix(base): move initrd.target.wants symlink creation to wait_for_dev", " (Closes: #1131416)", "" ], "package": "dracut", "version": "110-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 21 Mar 2026 21:55:34 +0100" }, { "cves": [], "log": [ "", " * Cherry-pick upstream commits:", " - fix(crypt): use -d instead of -f to check for $NEWROOT/proc directory", " - feat(overlayfs): support tmpfs size parameter in rd.overlay", " - fix(systemd-networkd): create /run/systemd/network if missing", " - test(SYSTEMD-INITRD): increase device timeout to infinity", " * fix(base): move initrd.target.wants symlink creation to wait_for_dev", " * fix(crypt): use systemd generator for setting the timeout (LP: #2143264)", " * fix(kernel-modules): install mmc drivers on all architectures (LP: #2143030)", " * autopkgtest:", " - double timeout to 20 min for arm64", " - skip slow 31-livenet and 45-systemd-import on riscv64", " - skip 50-network on riscv64 due to systemd-networkd-wait-online timeout", "" ], "package": "dracut", "version": "110-6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2143264, 2143030 ], "author": "Benjamin Drung ", "date": "Thu, 19 Mar 2026 23:19:30 +0100" }, { "cves": [], "log": [ "", " * fix(crypt): honor timeout setting when using UUID, LABEL, etc", " * autopkgtest:", " - increase timeout to 30 min for riscv64", " - skip time-consuming tests on riscv64", " * dracut-core: Declare breaking rust-coreutils before version 0.5.0", " * dracut-network: demote nbd-client, nfs-common, open-iscsi to suggests", "" ], "package": "dracut", "version": "110-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Fri, 13 Mar 2026 15:57:36 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "dracut-network", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "dracut", "source_package_version": "110-7", "version": "110-7" }, "cves": [], "launchpad_bugs_fixed": [ 2143264, 2143030 ], "changes": [ { "cves": [], "log": [ "", " * correct fix(base): move initrd.target.wants symlink creation to wait_for_dev", " (Closes: #1131416)", "" ], "package": "dracut", "version": "110-7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 21 Mar 2026 21:55:34 +0100" }, { "cves": [], "log": [ "", " * Cherry-pick upstream commits:", " - fix(crypt): use -d instead of -f to check for $NEWROOT/proc directory", " - feat(overlayfs): support tmpfs size parameter in rd.overlay", " - fix(systemd-networkd): create /run/systemd/network if missing", " - test(SYSTEMD-INITRD): increase device timeout to infinity", " * fix(base): move initrd.target.wants symlink creation to wait_for_dev", " * fix(crypt): use systemd generator for setting the timeout (LP: #2143264)", " * fix(kernel-modules): install mmc drivers on all architectures (LP: #2143030)", " * autopkgtest:", " - double timeout to 20 min for arm64", " - skip slow 31-livenet and 45-systemd-import on riscv64", " - skip 50-network on riscv64 due to systemd-networkd-wait-online timeout", "" ], "package": "dracut", "version": "110-6", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2143264, 2143030 ], "author": "Benjamin Drung ", "date": "Thu, 19 Mar 2026 23:19:30 +0100" }, { "cves": [], "log": [ "", " * fix(crypt): honor timeout setting when using UUID, LABEL, etc", " * autopkgtest:", " - increase timeout to 30 min for riscv64", " - skip time-consuming tests on riscv64", " * dracut-core: Declare breaking rust-coreutils before version 0.5.0", " * dracut-network: demote nbd-client, nfs-common, open-iscsi to suggests", "" ], "package": "dracut", "version": "110-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Fri, 13 Mar 2026 15:57:36 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libbinutils:armhf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.46-3ubuntu2", "version": "2.46-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for glibc 2.46.", "" ], "package": "binutils", "version": "2.46-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 02:33:01 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", "" ], "package": "binutils", "version": "2.46-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:26:02 +0100" }, { "cves": [], "log": [ "", " * Fix PR demangler/106641, taken from the trunk.", " * Drop build dependency on quilt. Closes: #1129263.", " * Update libgprofng symbols file.", "" ], "package": "binutils", "version": "2.46-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:22:39 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libc-dev-bin", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.43-2ubuntu1", "version": "2.43-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian experimental (LP: #2143767)", " Delta dropped:", " - Don't strip ld.so on armhf. LP #1927192.", " - Enable systemtap support, which is currently disabled in Debian.", " - Fix gconv regression on i386", " - Stop building with --enable-sframe for now.", " - s390x: drop the 32-bit multi-arch variant (LP #2067350)", " * Fixed upstream:", " - NPTL: Optimize trylock for high cache contention workloads (LP: #2138256) ", " * Update from upstream:", " - Don't include directly", " - po: Incorporate translatins (nl updated, ar new)", " * d/watch: modernize watchfile delta to v5", " * Fix broken ldconfig, static-pie binary on riscv64", " Revert RVV memset variant patch. (LP: #2142067)", "" ], "package": "glibc", "version": "2.43-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "author": "Simon Poirier ", "date": "Tue, 17 Feb 2026 16:52:35 -0500" }, { "cves": [], "log": [ "", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "" ], "package": "glibc", "version": "2.43-2", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Samuel Thibault ", "date": "Fri, 30 Jan 2026 01:41:14 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream release:", " - debian/copyright: update following upstream changes.", " - debian/symbols.wildcards: add 2.43.", " - debian/patches/git-updates.diff: update from upstream stable branch.", " - debian/patches/hurd-i386/local-enable-ldconfig.diff: rebased.", " - debian/patches/hurd-i386/git-sigreturn-SEGV.diff: upstreamed.", " - debian/patches/hurd-i386/git-rlimit-as.diff: upstreamed.", " - debian/patches/hurd-i386/git-run-iconv-test.sh.diff: upstreamed.", " - debian/patches/hurd-i386/git-elf-ordering.diff: upstreamed.", " - debian/patches/hurd-i386/git-rename.diff: upstreamed.", " - debian/patches/hurd-i386/git-signal-SSE-MMX.diff: upstreamed.", " - debian/patches/hurd-i386/git-sigreturn-xmm.diff: upstreamed.", " - debian/patches/hurd-i386/git-cancel-stack.diff: upstreamed.", " - debian/patches/i386/unsubmitted-quiet-ldconfig.diff: rebased.", " - debian/patches/any/local-asserth-decls.diff: rebased.", " - debian/patches/any/local-tcsetaddr.diff: rebased.", " - debian/patches/any/submitted-nptl-invalid-td.patch: drop, obsolete.", " - debian/patches/any/git-ldd-set-u.diff: upstreamed.", " - debian/patches/any/git-linux-termios.diff: upstreamed.", " - debian/patches/hurd-i386/submitted-net.diff: rebased.", " - debian/patches/hurd-i386/tg-bits_atomic.h_multiple_threads.diff: drop,", " obsolete.", " - debian/patches/hurd-i386/local-clock_gettime_MONOTONIC.diff: rebased.", " - debian/patches/hurd-i386/local-fix-nss.diff: rebased.", " - debian/libc0.3.symbols.hurd-i386: update following the move of symbols", " from libpthread.so.0.3 to libc.so.0.3.", "" ], "package": "glibc", "version": "2.43-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 28 Jan 2026 22:35:15 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libc6-dev:armhf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.43-2ubuntu1", "version": "2.43-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian experimental (LP: #2143767)", " Delta dropped:", " - Don't strip ld.so on armhf. LP #1927192.", " - Enable systemtap support, which is currently disabled in Debian.", " - Fix gconv regression on i386", " - Stop building with --enable-sframe for now.", " - s390x: drop the 32-bit multi-arch variant (LP #2067350)", " * Fixed upstream:", " - NPTL: Optimize trylock for high cache contention workloads (LP: #2138256) ", " * Update from upstream:", " - Don't include directly", " - po: Incorporate translatins (nl updated, ar new)", " * d/watch: modernize watchfile delta to v5", " * Fix broken ldconfig, static-pie binary on riscv64", " Revert RVV memset variant patch. (LP: #2142067)", "" ], "package": "glibc", "version": "2.43-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143767, 2138256, 2142067 ], "author": "Simon Poirier ", "date": "Tue, 17 Feb 2026 16:52:35 -0500" }, { "cves": [], "log": [ "", " * debian/testsuite-xfail-debian.mk: Update hurd results.", "" ], "package": "glibc", "version": "2.43-2", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Samuel Thibault ", "date": "Fri, 30 Jan 2026 01:41:14 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream release:", " - debian/copyright: update following upstream changes.", " - debian/symbols.wildcards: add 2.43.", " - debian/patches/git-updates.diff: update from upstream stable branch.", " - debian/patches/hurd-i386/local-enable-ldconfig.diff: rebased.", " - debian/patches/hurd-i386/git-sigreturn-SEGV.diff: upstreamed.", " - debian/patches/hurd-i386/git-rlimit-as.diff: upstreamed.", " - debian/patches/hurd-i386/git-run-iconv-test.sh.diff: upstreamed.", " - debian/patches/hurd-i386/git-elf-ordering.diff: upstreamed.", " - debian/patches/hurd-i386/git-rename.diff: upstreamed.", " - debian/patches/hurd-i386/git-signal-SSE-MMX.diff: upstreamed.", " - debian/patches/hurd-i386/git-sigreturn-xmm.diff: upstreamed.", " - debian/patches/hurd-i386/git-cancel-stack.diff: upstreamed.", " - debian/patches/i386/unsubmitted-quiet-ldconfig.diff: rebased.", " - debian/patches/any/local-asserth-decls.diff: rebased.", " - debian/patches/any/local-tcsetaddr.diff: rebased.", " - debian/patches/any/submitted-nptl-invalid-td.patch: drop, obsolete.", " - debian/patches/any/git-ldd-set-u.diff: upstreamed.", " - debian/patches/any/git-linux-termios.diff: upstreamed.", " - debian/patches/hurd-i386/submitted-net.diff: rebased.", " - debian/patches/hurd-i386/tg-bits_atomic.h_multiple_threads.diff: drop,", " obsolete.", " - debian/patches/hurd-i386/local-clock_gettime_MONOTONIC.diff: rebased.", " - debian/patches/hurd-i386/local-fix-nss.diff: rebased.", " - debian/libc0.3.symbols.hurd-i386: update following the move of symbols", " from libpthread.so.0.3 to libc.so.0.3.", "" ], "package": "glibc", "version": "2.43-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 28 Jan 2026 22:35:15 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libclang1-21", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "llvm-toolchain-21", "source_package_version": "1:21.1.8-4ubuntu2", "version": "1:21.1.8-4ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-4ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Feb 2026 21:51:56 +0100" }, { "cves": [], "log": [ "", " [ Matthias Klose ]", " * d/rules: Fix self-referencing macro.", " * Stop building packages now built by LLVM 22.", " * d/rules: Don't use lld for backport build, when not available.", " * d/rules: Add safety check for enablement of the RVA23 baseline.", " * d/rules: Only disable Z3 support for Ubuntu when it is in main.", " * Install a lit binary. Closes: #1122910.", " * llvm-tools: Don't install the lit tests. Closes: #1122909.", "", " [ Sylvestre Ledru ]", " * Fix autopkgtest failure with CMake 4. thanks to Adrian Bunk", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Feb 2026 17:29:38 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Regenerate the control file.", " - Use RVA23U64 profile in clang (LP #2116086).", " - d/rules: Remove i386 from CLANG_GRPC_ARCHS (not built on i386).", " * Stop building packages now built from LLVM 22.", "" ], "package": "llvm-toolchain-21", "version": "1:21.1.8-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Feb 2026 11:23:42 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libctf-nobfd0:armhf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.46-3ubuntu2", "version": "2.46-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for glibc 2.46.", "" ], "package": "binutils", "version": "2.46-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 02:33:01 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", "" ], "package": "binutils", "version": "2.46-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:26:02 +0100" }, { "cves": [], "log": [ "", " * Fix PR demangler/106641, taken from the trunk.", " * Drop build dependency on quilt. Closes: #1129263.", " * Update libgprofng symbols file.", "" ], "package": "binutils", "version": "2.46-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:22:39 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libctf0:armhf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.46-3ubuntu2", "version": "2.46-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for glibc 2.46.", "" ], "package": "binutils", "version": "2.46-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 02:33:01 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", "" ], "package": "binutils", "version": "2.46-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:26:02 +0100" }, { "cves": [], "log": [ "", " * Fix PR demangler/106641, taken from the trunk.", " * Drop build dependency on quilt. Closes: #1129263.", " * Update libgprofng symbols file.", "" ], "package": "binutils", "version": "2.46-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:22:39 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libdw1t64:armhf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "elfutils", "source_package_version": "0.194-4", "version": "0.194-4" }, "cves": [], "launchpad_bugs_fixed": [ 2144516 ], "changes": [ { "cves": [], "log": [ "", " * Apply two more patches from the trunk:", " - Fix const-correctness issues.", " - libdwfl: Work around ET_REL files with sh_addr fields set to", " non-zero.", "" ], "package": "elfutils", "version": "0.194-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 17 Mar 2026 15:25:35 +0100" }, { "cves": [], "log": [ "", " [ Sergio Durigan Junior ]", " * d/libdebuginfod-common.postinst: Remove readonly usage when declaring", " local variables. (LP: #2144516)", "", " [ Matthias Klose ]", " * Fix PR dwz/33391, trunk: aarch64: Recognize SHT_AARCH64_ATTRIBUTES.", "" ], "package": "elfutils", "version": "0.194-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2144516 ], "author": "Matthias Klose ", "date": "Tue, 17 Mar 2026 07:31:46 +0100" }, { "cves": [], "log": [ "", " [ Mark Wielaard ]", " * d/p/elfutils-0.194-alloc-jobs.patch: Patch for upstream bug 33580.", "", " [ Matthias Klose ]", " * Update symbols file syntax.", " * Bump standards version.", " * Drop build dependency on gcc-multilib. Closes: #1107128.", " * Drop bashism from debian/libdebuginfod-common.postinst (Nobuhiro Iwamatsu).", " Closes: #1105011.", "" ], "package": "elfutils", "version": "0.194-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 10:41:13 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "libgpgme45:armhf", "from_version": { "source_package_name": "gpgme1.0", "source_package_version": "1.24.2-3ubuntu2", "version": null }, "to_version": { "source_package_name": "gpgme1.0", "source_package_version": "2.0.1-2build1", "version": "2.0.1-2build1" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2112007, 1872474, 1872474, 1872474, 1872474, 1872474, 1872474, 1872474, 1808109, 1762384, 1647204, 1647204 ], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild with Python 3.14 as supported version", "" ], "package": "gpgme1.0", "version": "1.24.2-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Sat, 18 Oct 2025 13:19:01 +0000" }, { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2112007). Remaining changes:", " - d/rules: drop qt6 dependencies on i386", " * Dropped changes, as they are no longer needed:", " - d/rules: ignore test results for a first build (armhf, i386)", "" ], "package": "gpgme1.0", "version": "1.24.2-3ubuntu1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2112007 ], "author": "Ural Tunaboyu ", "date": "Fri, 13 Jun 2025 14:32:24 -0700" }, { "cves": [], "log": [ "", " * No-change rebuild with Python 3.13 only", "" ], "package": "gpgme1.0", "version": "1.24.2-1ubuntu2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Tue, 04 Mar 2025 19:54:37 +0000" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - drop qt6 dependencies on i386", " - Ignore test results for a first build (armhf, i386).", "" ], "package": "gpgme1.0", "version": "1.24.2-1ubuntu1", "urgency": "low", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 17 Feb 2025 15:36:03 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - drop qt6 dependencies on i386", " - Ignore test results for a first build (armhf, i386).", "" ], "package": "gpgme1.0", "version": "1.24.1-4ubuntu1", "urgency": "low", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Thu, 06 Feb 2025 14:45:46 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - drop qt6 dependencies on i386", " - Ignore test results for a first build (armhf, i386).", "" ], "package": "gpgme1.0", "version": "1.24.1-3ubuntu1", "urgency": "low", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 03 Feb 2025 10:17:08 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - drop qt6 dependencies on i386", " - Ignore test results for a first build (armhf, i386).", "" ], "package": "gpgme1.0", "version": "1.24.1-2ubuntu1", "urgency": "low", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Tue, 24 Dec 2024 15:48:06 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - drop qt6 dependencies on i386", " - Ignore test results for a first build (armhf, i386).", "" ], "package": "gpgme1.0", "version": "1.24.0-2ubuntu1", "urgency": "low", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Thu, 14 Nov 2024 13:15:31 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - drop qt6 dependencies on i386", " - Ignore test results for a first build (armhf, i386).", "" ], "package": "gpgme1.0", "version": "1.23.2-5ubuntu4", "urgency": "low", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Wed, 30 Oct 2024 09:58:49 +0100" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "gpgme1.0", "version": "1.18.0-4.1ubuntu4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 01:14:47 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild against libqt5core5t64", "" ], "package": "gpgme1.0", "version": "1.18.0-4.1ubuntu3", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Fri, 15 Mar 2024 04:30:58 +0000" }, { "cves": [], "log": [ "", " * Ignore test results for a first build (armhf, i386).", "" ], "package": "gpgme1.0", "version": "1.18.0-4.1ubuntu2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 12 Mar 2024 17:00:23 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Enable gpgme-json LP #1872474", " - Add integration with Google Chrome.", " - Reinstate build-dependency on dh-exec", "" ], "package": "gpgme1.0", "version": "1.18.0-4.1ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 07 Mar 2024 11:13:09 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Enable gpgme-json LP: #1872474", " - Add integration with Google Chrome.", " - Reinstate build-dependency on dh-exec", "" ], "package": "gpgme1.0", "version": "1.18.0-4ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1872474 ], "author": "Matthias Klose ", "date": "Tue, 07 Nov 2023 09:21:11 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Enable gpgme-json LP: #1872474", " - Add integration with Google Chrome.", " - Reinstate build-dependency on dh-exec", "" ], "package": "gpgme1.0", "version": "1.18.0-3ubuntu1", "urgency": "low", "distributions": "lunar", "launchpad_bugs_fixed": [ 1872474 ], "author": "Gianfranco Costamagna ", "date": "Wed, 23 Nov 2022 14:51:00 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Enable gpgme-json LP: #1872474", " - Add integration with Google Chrome.", " - Reinstate build-dependency on dh-exec", "" ], "package": "gpgme1.0", "version": "1.17.1-4.1ubuntu1", "urgency": "low", "distributions": "kinetic", "launchpad_bugs_fixed": [ 1872474 ], "author": "Gianfranco Costamagna ", "date": "Mon, 12 Sep 2022 14:04:44 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Enable gpgme-json LP: #1872474", " - Add integration with Google Chrome.", " - Reinstate build-dependency on dh-exec", " - 0007-lang-python-tests-Fix-FTBFS-caused-by-missing-PYTHON.patch", "" ], "package": "gpgme1.0", "version": "1.17.1-4ubuntu1", "urgency": "low", "distributions": "kinetic", "launchpad_bugs_fixed": [ 1872474 ], "author": "Gianfranco Costamagna ", "date": "Mon, 25 Jul 2022 11:12:29 +0200" }, { "cves": [], "log": [ "", " * d/patches:", " + 0007-lang-python-tests-Fix-FTBFS-caused-by-missing-PYTHON.patch", "" ], "package": "gpgme1.0", "version": "1.16.0-1.2ubuntu4", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Alexandre Ghiti ", "date": "Thu, 31 Mar 2022 13:59:19 +0200" }, { "cves": [], "log": [ "", " * No-change rebuild with Python 3.10 only.", "" ], "package": "gpgme1.0", "version": "1.16.0-1.2ubuntu3", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 17 Mar 2022 15:06:25 +0100" }, { "cves": [], "log": [ "", " * Comment out 0006-PIC-and-shared.patch, not needed anymore.", "" ], "package": "gpgme1.0", "version": "1.16.0-1.2ubuntu2", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Thu, 27 Jan 2022 10:53:06 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable, remaining changes:", " + debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " (Closes: #870383)", " + Enable gpgme-json LP: #1872474", " + Add integration with Google Chrome.", " + d/patches/0001-core-Support-closefrom-also-for-glibc.patch: backport", " support for using closefrom from glibc.", " * Reinstate build-dependency on dh-exec", "" ], "package": "gpgme1.0", "version": "1.16.0-1.2ubuntu1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 1872474 ], "author": "Graham Inggs ", "date": "Fri, 10 Dec 2021 12:38:30 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild with fixed py3versions", "" ], "package": "gpgme1.0", "version": "1.14.0-1ubuntu6", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Sat, 06 Nov 2021 08:28:18 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild to add python3.10.", "" ], "package": "gpgme1.0", "version": "1.14.0-1ubuntu5", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 16 Oct 2021 06:56:23 +0000" }, { "cves": [], "log": [ "", " * d/patches/0001-core-Support-closefrom-also-for-glibc.patch: backport", " support for using closefrom from glibc.", "" ], "package": "gpgme1.0", "version": "1.14.0-1ubuntu4", "urgency": "medium", "distributions": "impish", "launchpad_bugs_fixed": [], "author": "Michael Hudson-Doyle ", "date": "Tue, 10 Aug 2021 16:36:16 +1200" }, { "cves": [], "log": [ "", " * No-change rebuild to drop python3.8 extensions.", "" ], "package": "gpgme1.0", "version": "1.14.0-1ubuntu3", "urgency": "medium", "distributions": "hirsute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 07 Dec 2020 18:45:47 +0100" }, { "cves": [], "log": [ "", " * No-change rebuild to build with python3.9 as supported", "" ], "package": "gpgme1.0", "version": "1.14.0-1ubuntu2", "urgency": "medium", "distributions": "hirsute", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Tue, 27 Oct 2020 18:32:15 +0000" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " (Closes: #870383)", " - Enable gpgme-json LP: #1872474", " - Add integration with Google Chrome.", "" ], "package": "gpgme1.0", "version": "1.14.0-1ubuntu1", "urgency": "low", "distributions": "groovy", "launchpad_bugs_fixed": [ 1872474 ], "author": "Gianfranco Costamagna ", "date": "Tue, 11 Aug 2020 12:32:10 +0200" }, { "cves": [], "log": [ "", " * Enable gpgme-json LP: #1872474", " * Add integration with Google Chrome.", "" ], "package": "gpgme1.0", "version": "1.13.1-9ubuntu2", "urgency": "medium", "distributions": "groovy", "launchpad_bugs_fixed": [ 1872474 ], "author": "Dimitri John Ledkov ", "date": "Sat, 18 Jul 2020 21:46:38 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " (Closes: #870383)", "" ], "package": "gpgme1.0", "version": "1.13.1-9ubuntu1", "urgency": "low", "distributions": "groovy", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Thu, 02 Jul 2020 14:47:27 +0200" }, { "cves": [], "log": [ "", " * Fix test sadness on 32bit systems due to bad bash syntax.", "" ], "package": "gpgme1.0", "version": "1.13.1-8ubuntu2", "urgency": "medium", "distributions": "groovy", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Fri, 26 Jun 2020 23:44:40 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " (Closes: #870383)", " * Drop changes, not useful anymore, since kf5-kdepim-apps-libs seems to be", " not using that link anymore:", " - Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this", " will fix the build failures of kf5-kdepim-apps-libs when built against", " this gpgme package.", "" ], "package": "gpgme1.0", "version": "1.13.1-8ubuntu1", "urgency": "low", "distributions": "groovy", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Fri, 26 Jun 2020 10:16:00 +0200" }, { "cves": [], "log": [ "", " * Don't fail a test that is supposed to fail on 32bit systems", "" ], "package": "gpgme1.0", "version": "1.13.1-7ubuntu2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Thu, 12 Mar 2020 17:52:51 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " - Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this", " will fix the build failures of kf5-kdepim-apps-libs when built against", " this gpgme package.", "" ], "package": "gpgme1.0", "version": "1.13.1-7ubuntu1", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 09 Mar 2020 21:24:25 +0100" }, { "cves": [], "log": [ "", " * No-change rebuild to drop python3.7.", "" ], "package": "gpgme1.0", "version": "1.13.1-6ubuntu2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 18 Feb 2020 10:32:46 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " - Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this", " will fix the build failures of kf5-kdepim-apps-libs when built against", " this gpgme package.", " * Dropped changes, no longer needed:", " - Bump libgpg-error-dev build dependency to 1.28 for new gpgrt API", " - debian/patch/0007-Python-Versions.patch: won't work now that python2", " support is dropped, and doesn't appear to be needed.", " * Dropped changes, superseded in Debian:", " - Update test dependency for python->python2 move", "" ], "package": "gpgme1.0", "version": "1.13.1-6ubuntu1", "urgency": "low", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Thu, 13 Feb 2020 16:43:13 -0800" }, { "cves": [], "log": [ "", " * Update test dependency for python->python2 move", "" ], "package": "gpgme1.0", "version": "1.12.0-6ubuntu3", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Thu, 24 Oct 2019 11:31:47 +0200" }, { "cves": [], "log": [ "", " * No-change rebuild to build with python3.8.", "" ], "package": "gpgme1.0", "version": "1.12.0-6ubuntu2", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 18 Oct 2019 18:07:19 +0000" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patch/0007-Python-Versions.patch: Use py{,3}versions detection.", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " - Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this", " will fix the build failures of kf5-kdepim-apps-libs when built against this", " gpgme package.", " - Bump libgpg-error-dev build dependency to 1.28 for new gpgrt API", "" ], "package": "gpgme1.0", "version": "1.12.0-6ubuntu1", "urgency": "low", "distributions": "eoan", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Tue, 23 Apr 2019 10:05:42 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable (LP: #1808109). Remaining changes:", " - debian/patch/0007-Python-Versions.patch: Use py{,3}versions detection.", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " - Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this", " will fix the build failures of kf5-kdepim-apps-libs when built against this", " gpgme package.", " - Bump libgpg-error-dev build dependency to 1.28 for new gpgrt API", " - Drop versioned python tests - 3.5 is not shipped anymore; and it", " makes transitions harder for dubious benefits.", " * qt-Use-tofu-conflict-test-keys-without-expiry.patch: Cherry pick", " upstream fix for expiry dates in test suite.", "" ], "package": "gpgme1.0", "version": "1.12.0-4ubuntu1", "urgency": "low", "distributions": "disco", "launchpad_bugs_fixed": [ 1808109 ], "author": "Julian Andres Klode ", "date": "Mon, 14 Jan 2019 17:36:53 +0100" }, { "cves": [], "log": [ "", " * No-change rebuild to build without python3.6 support.", "" ], "package": "gpgme1.0", "version": "1.11.1-1ubuntu4", "urgency": "medium", "distributions": "disco", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 03 Nov 2018 12:07:06 +0000" }, { "cves": [], "log": [ "", " * Fix Build-Depends to use python3-all-dev instead of python3-dev", "" ], "package": "gpgme1.0", "version": "1.11.1-1ubuntu3", "urgency": "medium", "distributions": "cosmic", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Tue, 14 Aug 2018 16:32:44 +0200" }, { "cves": [], "log": [ "", " * Mak debian/libgpgme-dev.links executable, it uses dh-exec (LP: #1762384)", "" ], "package": "gpgme1.0", "version": "1.11.1-1ubuntu2", "urgency": "medium", "distributions": "cosmic", "launchpad_bugs_fixed": [ 1762384 ], "author": "Julian Andres Klode ", "date": "Tue, 14 Aug 2018 14:52:40 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patch/0007-Python-Versions.patch: Use py{,3}versions detection.", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " - Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this", " will fix the build failures of kf5-kdepim-apps-libs when built against this", " gpgme package.", " * Bump libgpg-error-dev build dependency to 1.28 for new gpgrt API", " * Drop versioned python tests - 3.5 is not shipped anymore; and it", " makes transitions harder for dubious benefits.", "" ], "package": "gpgme1.0", "version": "1.11.1-1ubuntu1", "urgency": "low", "distributions": "cosmic", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 07 May 2018 15:52:27 +0200" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - debian/patch/0007-Python-Versions.patch: Use py{,3}versions detection.", " - debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " - Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this ", " will fix the build failures of kf5-kdepim-apps-libs when built against this ", " gpgme package.", "" ], "package": "gpgme1.0", "version": "1.10.0-1ubuntu1", "urgency": "low", "distributions": "bionic", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 15 Jan 2018 14:22:11 +0100" }, { "cves": [], "log": [ "", " * No change rebuild to drop Python 3.5 support.", "" ], "package": "gpgme1.0", "version": "1.8.0-3ubuntu5", "urgency": "medium", "distributions": "artful", "launchpad_bugs_fixed": [], "author": "Michael Hudson-Doyle ", "date": "Fri, 04 Aug 2017 18:48:34 +1200" }, { "cves": [], "log": [ "", " * debian/patch/0007-Python-Versions.patch: Use py{,3}versions detection.", "" ], "package": "gpgme1.0", "version": "1.8.0-3ubuntu4", "urgency": "medium", "distributions": "artful", "launchpad_bugs_fixed": [], "author": "Adam Conrad ", "date": "Fri, 12 May 2017 03:54:43 -0600" }, { "cves": [], "log": [ "", " * debian/patch/0007-Python-Versions.patch: Use py{,3}versions detection.", " * debian/patches/0006-PIC-and-shared.patch: Libs are -fPIC and -shared.", " * debian/rules: Stop explicitly setting LDFLAGS, this messes with PIE.", " * debian/rules: Stop disabling PIE, the above CFLAGS changes should do.", "" ], "package": "gpgme1.0", "version": "1.8.0-3ubuntu3", "urgency": "medium", "distributions": "artful", "launchpad_bugs_fixed": [], "author": "Adam Conrad ", "date": "Fri, 12 May 2017 01:22:23 -0600" }, { "cves": [], "log": [ "", " * Add in libgpgme-dev a libgpgme-pthread.so pointing to libgpgme.so, this", " will fix the build failures of kf5-kdepim-apps-libs when built against this", " gpgme package.", " * Set LDFLAGS=-Wl,-z,relro in debian/rules, this avoids passing", " \"-Bsymbolic-functions\" which seems to be the cause of FTBFS'es for some", " architectures.", " * Add 0005-tests-Reduce-iterations-threads.patch, this fixes another cause of", " FTBFS'es on some architectures.", " * Previous two changes fix (LP: #1647204)", " * Thank you to Rik Mills for his help fixing the above problems.", "" ], "package": "gpgme1.0", "version": "1.8.0-3ubuntu2", "urgency": "medium", "distributions": "zesty", "launchpad_bugs_fixed": [ 1647204 ], "author": "José Manuel Santamaría Lema ", "date": "Sat, 18 Feb 2017 22:22:02 +0100" }, { "cves": [], "log": [ "", " [ José Manuel Santamaría Lema ]", " * Pass '-fPIC' to gcc, otherwise this package will fail to build on Ubuntu", " with this error:", " /usr/include/*/qt5/QtCore/qglobal.h:1087:4: error:", " #error \"You must build your code with position independent code if Qt was", " built with -reduce-relocations. \" \"Compile your code with -fPIC (-fPIE is", " not enough).\"", "", " [ Rik Mills ]", " * Apply upstream patch to fix build hang on launchpad-buildd and speed up", " tests on low entropy systems. (LP: #1647204)", "", " [ Andre Hinecke ]", " * Apply another upstream patch to fix build hang on launchpad-buildd if", " gpg is gpg2.", "", " [ Barry Warsaw ]", " * d/control: update-maintainer", "" ], "package": "gpgme1.0", "version": "1.8.0-3ubuntu1", "urgency": "medium", "distributions": "zesty", "launchpad_bugs_fixed": [ 1647204 ], "author": "Rik Mills ", "date": "Mon, 30 Jan 2017 09:08:10 +0000" } ], "notes": "libgpgme45:armhf version '2.0.1-2build1' (source package gpgme1.0 version '2.0.1-2build1') was added. libgpgme45:armhf version '2.0.1-2build1' has the same source package name, gpgme1.0, as removed package libgpgme11t64:armhf. As such we can use the source package version of the removed package, '1.24.2-3ubuntu2', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "libnvme1t64:armhf", "from_version": { "source_package_name": "libnvme", "source_package_version": "1.16.1-2", "version": null }, "to_version": { "source_package_name": "libnvme", "source_package_version": "1.16.1-4", "version": "1.16.1-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Also marking library dev package multi-arch same.", "" ], "package": "libnvme", "version": "1.16.1-4", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Sun, 15 Feb 2026 09:00:22 +0100" }, { "cves": [], "log": [ "", " * Updating to standards version 4.7.3.", " * Wrap and sorting debian files.", " * Sorting fields in control.", " * Marking library package multi-arch same.", " * Updating year in copyright for 2026.", "" ], "package": "libnvme", "version": "1.16.1-3", "urgency": "medium", "distributions": "sid", "launchpad_bugs_fixed": [], "author": "Daniel Baumann ", "date": "Sun, 08 Feb 2026 08:10:16 +0100" } ], "notes": "libnvme1t64:armhf version '1.16.1-4' (source package libnvme version '1.16.1-4') was added. libnvme1t64:armhf version '1.16.1-4' has the same source package name, libnvme, as removed package libnvme1t64. As such we can use the source package version of the removed package, '1.16.1-2', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "libsframe3:armhf", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "binutils", "source_package_version": "2.46-3ubuntu2", "version": "2.46-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild for glibc 2.46.", "" ], "package": "binutils", "version": "2.46-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 02:33:01 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", "" ], "package": "binutils", "version": "2.46-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:26:02 +0100" }, { "cves": [], "log": [ "", " * Fix PR demangler/106641, taken from the trunk.", " * Drop build dependency on quilt. Closes: #1129263.", " * Update libgprofng symbols file.", "" ], "package": "binutils", "version": "2.46-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Thu, 05 Mar 2026 12:22:39 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "linux-headers-7.0.0-10", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": "linux-headers-7.0.0-10 version '7.0.0-10.10' (source package linux version '7.0.0-10.10') was added. linux-headers-7.0.0-10 version '7.0.0-10.10' has the same source package name, linux, as removed package linux-headers-6.19.0-6. As such we can use the source package version of the removed package, '6.19.0-6.6', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-headers-7.0.0-10-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": "linux-headers-7.0.0-10-generic version '7.0.0-10.10' (source package linux version '7.0.0-10.10') was added. linux-headers-7.0.0-10-generic version '7.0.0-10.10' has the same source package name, linux, as removed package linux-headers-6.19.0-6. As such we can use the source package version of the removed package, '6.19.0-6.6', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-7.0.0-10-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": "linux-image-7.0.0-10-generic version '7.0.0-10.10' (source package linux version '7.0.0-10.10') was added. linux-image-7.0.0-10-generic version '7.0.0-10.10' has the same source package name, linux, as removed package linux-headers-6.19.0-6. As such we can use the source package version of the removed package, '6.19.0-6.6', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-libc-dev:armhf", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": "linux-libc-dev:armhf version '7.0.0-10.10' (source package linux version '7.0.0-10.10') was added. linux-libc-dev:armhf version '7.0.0-10.10' has the same source package name, linux, as removed package linux-headers-6.19.0-6. As such we can use the source package version of the removed package, '6.19.0-6.6', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-10-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": "linux-modules-7.0.0-10-generic version '7.0.0-10.10' (source package linux version '7.0.0-10.10') was added. linux-modules-7.0.0-10-generic version '7.0.0-10.10' has the same source package name, linux, as removed package linux-headers-6.19.0-6. As such we can use the source package version of the removed package, '6.19.0-6.6', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-10", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": "linux-tools-7.0.0-10 version '7.0.0-10.10' (source package linux version '7.0.0-10.10') was added. linux-tools-7.0.0-10 version '7.0.0-10.10' has the same source package name, linux, as removed package linux-headers-6.19.0-6. As such we can use the source package version of the removed package, '6.19.0-6.6', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-10-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "cves": [], "launchpad_bugs_fixed": [ 2144865, 2144735, 2142775, 2144652, 2143197, 2139276, 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092, 2143745, 2143700, 2143181, 2143123, 2141276, 2106681, 2121347, 2138328, 2143020, 2142764, 2142402 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-10.10 -proposed tracker (LP: #2144865)", "", " * Miscellaneous upstream changes", " - Revert \"powerpc: fix KUAP warning in VMX usercopy path\"", "" ], "package": "linux", "version": "7.0.0-10.10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144865 ], "author": "Paolo Pisati ", "date": "Thu, 19 Mar 2026 09:44:11 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-9.9 -proposed tracker (LP: #2144735)", "", " * Please make dracut the default initrd generator (LP: #2142775)", " - [Packaging] recommends dracut instead of initramfs-tools", "", " * Miscellaneous Ubuntu changes", " - SAUCE: Change RISC-V target to RVA23 (riscv64a23-unknown-linux-gnu)", "" ], "package": "linux", "version": "7.0.0-9.9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144735, 2142775 ], "author": "Paolo Pisati ", "date": "Wed, 18 Mar 2026 13:11:06 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-8.8 -proposed tracker (LP: #2144652)", "", " * UBUNTU: SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", " (LP: #2143197)", " - SAUCE: igc: Increase Thunderbolt MAC passthrough delay to 1000ms", "", " * [usrmerge] evaluate kernel owned packages for DEP17 compliance", " (LP: #2139276)", " - [Packaging] Install modules in /usr/lib/modules", "", " * Miscellaneous Ubuntu changes", " - [Config] hardening: enable LIST_HARDENED", " - [Config] hardening: disable LDISC_AUTOLOAD", " - [Config] hardening: disable LEGACY_PTYS", " - [Config] updateconfigs following v7.0-rc4 rebase", "" ], "package": "linux", "version": "7.0.0-8.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2144652, 2143197, 2139276 ], "author": "Paolo Pisati ", "date": "Tue, 17 Mar 2026 18:01:36 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-7.7 -proposed tracker (LP: #2143974)", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/29]: apparmor: fix fine grained inet mediation", " sock_file_perm", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/29]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/29]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/29]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/29]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/29]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/29]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/29]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/29]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/29]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/29]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/29]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/29]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/29]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/29]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/29]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/29]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/29]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/29]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/29]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/29]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/29]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/29]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/29]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/29]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/29]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/29]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/29]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/29]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * NPU utilization on amdxdna is missing (LP: #2143243)", " - SAUCE: accel/amdxdna: Add IOCTL to retrieve realtime NPU power estimate", " - SAUCE: accel/amdxdna: Support sensors for column utilization", " - SAUCE: accel/amdxdna: Import AMD_PMF namespace", "", " * Adopting dark mode by default for OLED panel (LP: #2143203)", " - SAUCE: drm/connector: Add a new 'panel_type' property", " - SAUCE: drm/amd/display: Attach OLED property to eDP panels", "", " * Support AMD Image Signal Processing (ISP) unit V4.0 (LP: #2110092)", " - SAUCE: media: platform: amd: Introduce amd isp4 capture driver", " - SAUCE: media: platform: amd: low level support for isp4 firmware", " - SAUCE: media: platform: amd: Add isp4 fw and hw interface", " - SAUCE: media: platform: amd: isp4 subdev and firmware loading handling", " added", " - SAUCE: media: platform: amd: isp4 video node and buffers handling added", " - SAUCE: Documentation: add documentation of AMD isp 4 driver", " - SAUCE: media: platform: amd: isp4 debug fs logging and more descriptive", " errors", " - [Config] Enable VIDEO_AMD_ISP4_CAPTURE", "", " * Miscellaneous Ubuntu changes", " - [Config] temporarily disable OBJTOOL_WERROR", "" ], "package": "linux", "version": "7.0.0-7.7", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143974, 1990064, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143243, 2143203, 2110092 ], "author": "Paolo Pisati ", "date": "Thu, 12 Mar 2026 10:49:34 +0100" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-6.6 -proposed tracker (LP: #2143745)", "", " * Miscellaneous Ubuntu changes", " - [Packaging] drop unstable suffix", "" ], "package": "linux", "version": "7.0.0-6.6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143745 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 17:20:26 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-5.5 -proposed tracker (LP: #2143700)", "", " * Resolute real-time patchset: 7.0-rc1-rt1 (LP: #2143181)", " - SAUCE: Reapply \"serial: 8250: Switch to nbcon console\"", " - SAUCE: Reapply \"serial: 8250: Revert \"drop lockdep annotation from", " serial8250_clear_IER()\"\"", " - SAUCE: drm/i915: Use preempt_disable/enable_rt() where recommended", " - SAUCE: drm/i915: Don't disable interrupts on PREEMPT_RT during atomic", " updates", " - SAUCE: drm/i915: Disable tracing points on PREEMPT_RT", " - SAUCE: drm/i915/gt: Use spin_lock_irq() instead of local_irq_disable() +", " spin_lock()", " - SAUCE: drm/i915: Drop the irqs_disabled() check", " - SAUCE: drm/i915/guc: Consider also RCU depth in busy loop.", " - SAUCE: drm/i915: Consider RCU read section as atomic.", " - SAUCE: Revert \"drm/i915: Depend on !PREEMPT_RT.\"", " - SAUCE: sysfs: Add /sys/kernel/realtime entry", " - Real-time patchset 7.0-rc1-rt1", "", " * Miscellaneous Ubuntu changes", " - [Config] rust toolchain version update", "" ], "package": "linux", "version": "7.0.0-5.5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143700, 2143181 ], "author": "Paolo Pisati ", "date": "Mon, 09 Mar 2026 08:10:31 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-4.4 -proposed tracker (LP: #2143123)", "", " * efi: Fix swapped arguments to bsearch() in efi_status_to_*() SAUCE patch", " (LP: #2141276)", " - SAUCE efi: Fix swapped arguments to bsearch() in efi_status_to_*()", "", " * Plucky preinstalled server fails to boot on rb3gen2 (LP: #2106681) //", " Questing preinstalled server fails to boot on sa8775p boards", " (LP: #2121347)", " - [Config] move more qcom interconnect/pinctrl/gcc options to builtin", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Add llvm-21-dev to build-depends for perf", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Add intel-speed-select to linux-tools", " - [Packaging] remove stale debian/dkms-versions", " - [Packaging] remove stale debian/dkms-versions scripting", "" ], "package": "linux-unstable", "version": "7.0.0-4.4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143123, 2141276, 2106681, 2121347, 2138328 ], "author": "Paolo Pisati ", "date": "Wed, 04 Mar 2026 13:59:02 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-3.3 -proposed tracker (LP: #2143020)", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfig after rebase to v7.0-rc2", " - [Config] switch to PREEMPT_LAZY", "" ], "package": "linux-unstable", "version": "7.0.0-3.3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143020 ], "author": "Paolo Pisati ", "date": "Mon, 02 Mar 2026 09:26:45 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-2.2 -proposed tracker (LP: #2142764)", "" ], "package": "linux-unstable", "version": "7.0.0-2.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142764 ], "author": "Paolo Pisati ", "date": "Fri, 27 Feb 2026 10:25:35 +0100" }, { "cves": [], "log": [ "", " * resolute/linux-unstable: 7.0.0-1.1 -proposed tracker (LP: #2142402)", "", " * Miscellaneous Ubuntu changes", " - [packaging] rename to linux-unstable", " - [Config] updateconfig after rebase to v7.0-rc1", " - Update Changes.md", " - [Packaging] add libbpf-dev to Build-Depends", " - [Config] disable AMD_ISP4, FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove zfs FTBFS", " - [Packaging] debian.master/dkms-versions -- temporarily remove evdi FTBFS", " - [Config] updateconfig after rebase to v7.0-rc1", " - [Config] update toolchain version", "" ], "package": "linux-unstable", "version": "7.0.0-1.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142402 ], "author": "Paolo Pisati ", "date": "Mon, 23 Feb 2026 08:32:17 +0100" } ], "notes": "linux-tools-7.0.0-10-generic version '7.0.0-10.10' (source package linux version '7.0.0-10.10') was added. linux-tools-7.0.0-10-generic version '7.0.0-10.10' has the same source package name, linux, as removed package linux-headers-6.19.0-6. As such we can use the source package version of the removed package, '6.19.0-6.6', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "manpages-dev", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "manpages", "source_package_version": "6.17-1", "version": "6.17-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version 6.17", " - Refresh patches", " - Add 0BSD to known licenses", " * Update Standards-Version to 4.7.3", " * Replace FSF postal address with their website", " * Update lintian overrides", " * Fix lintian warnings", " - missing-license-paragraph-in-dep5-copyright", " - space-in-std-shortname-in-dep5-copyright", " * Update d/copyright", "" ], "package": "manpages", "version": "6.17-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Dr. Tobias Quathamer ", "date": "Wed, 11 Feb 2026 22:31:51 +0100" }, { "cves": [], "log": [ "", " * New upstream version 6.16", " - Refresh patches", " - Add new Build-Depends on awk and pcre2-utils", "" ], "package": "manpages", "version": "6.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Dr. Tobias Quathamer ", "date": "Sun, 02 Nov 2025 21:55:41 +0100" }, { "cves": [], "log": [ "", " * New upstream version 6.15 (Closes: #1098520)", " - Refresh patches", " - Exclude usr/bin files from being installed in the binary package", " - Include man2 and man3 directories with appendices", " * Update debian/watch to v5", " * Use MAKEFLAGS += -R", " * Disable autotest for now", " * Reformat shell scripts with shfmt and use shellcheck", " * Update scripts to handle new upstream directory layout", " * Update Standards-Version to 4.7.2, no changes needed", " * Remove Rules-Requires-Root from d/control", " * Update d/copyright", "" ], "package": "manpages", "version": "6.15-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Dr. Tobias Quathamer ", "date": "Sat, 04 Oct 2025 00:03:54 +0200" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "python3.14", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Update to the 3.14 branch 2026-03-21.", " * Drop build dependency on blt, gone since 3.13.", "" ], "package": "python3.14", "version": "3.14.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 12:37:05 +0100" }, { "cves": [], "log": [ "", " [ Stefano Rivera ]", " * Drop explicit Build-Depends on quilt, it's only used in manual rules", " targets. Closes: #1129933.", " * Use dh_usrlocal to create /usr/local/python3.14/dist-packages.", " Closes: #1127103.", "", " [ Matthias Klose ]", " * Update to the 3.14 branch 2026-03-11.", "" ], "package": "python3.14", "version": "3.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 11 Mar 2026 20:17:30 +0100" }, { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " [ Stefano Rivera ]", " * Python 3.14.3 final.", " - Ensures that Element & Attr instances have the ownerDocument attribute.", " Closes: #1122875", " - Reject control characters in wsgiref.headers.Headers. Closes: #1126739,", " CVE-2026-0865.", " - email: verify headers are sound in BytesGenerator. Closes: #1126744,", " CVE-2026-1299.", " - Reject control characters in http cookies. Closes: #1126761,", " CVE-2026-0672.", " - Reject control characters in data: URL mediatype. Closes: #1126779,", " CVE-2025-15282.", " - email: Preserve parens when folding comments. Closes: #1126786,", " CVE-2025-11468.", "", " [ Matthias Klose ]", " * Modules/termios.c: stop using TC operations that need termio.h.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop m68k patch, merged upstream.", " * Patch: Rename build-details.json to fix multiarch co-installability.", " Closes: #1121810", " * Refresh guarded imports list.", " * Patch: Handle no concurrent module in compileall under python3.14-minimal.", " * Patch: Handle missing _pyrepl in _sitebuiltins under python3.13-minimal.", " * Provide pdb3.14 as a wrapper script, now that the module is no longer", " directly executable. Closes: #1121899.", "" ], "package": "python3.14", "version": "3.14.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 04 Feb 2026 11:33:49 -0400" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "python3.14-minimal", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Update to the 3.14 branch 2026-03-21.", " * Drop build dependency on blt, gone since 3.13.", "" ], "package": "python3.14", "version": "3.14.3-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 12:37:05 +0100" }, { "cves": [], "log": [ "", " [ Stefano Rivera ]", " * Drop explicit Build-Depends on quilt, it's only used in manual rules", " targets. Closes: #1129933.", " * Use dh_usrlocal to create /usr/local/python3.14/dist-packages.", " Closes: #1127103.", "", " [ Matthias Klose ]", " * Update to the 3.14 branch 2026-03-11.", "" ], "package": "python3.14", "version": "3.14.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 11 Mar 2026 20:17:30 +0100" }, { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " [ Stefano Rivera ]", " * Python 3.14.3 final.", " - Ensures that Element & Attr instances have the ownerDocument attribute.", " Closes: #1122875", " - Reject control characters in wsgiref.headers.Headers. Closes: #1126739,", " CVE-2026-0865.", " - email: verify headers are sound in BytesGenerator. Closes: #1126744,", " CVE-2026-1299.", " - Reject control characters in http cookies. Closes: #1126761,", " CVE-2026-0672.", " - Reject control characters in data: URL mediatype. Closes: #1126779,", " CVE-2025-15282.", " - email: Preserve parens when folding comments. Closes: #1126786,", " CVE-2025-11468.", "", " [ Matthias Klose ]", " * Modules/termios.c: stop using TC operations that need termio.h.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop m68k patch, merged upstream.", " * Patch: Rename build-details.json to fix multiarch co-installability.", " Closes: #1121810", " * Refresh guarded imports list.", " * Patch: Handle no concurrent module in compileall under python3.14-minimal.", " * Patch: Handle missing _pyrepl in _sitebuiltins under python3.13-minimal.", " * Provide pdb3.14 as a wrapper script, now that the module is no longer", " directly executable. Closes: #1121899.", "" ], "package": "python3.14", "version": "3.14.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 04 Feb 2026 11:33:49 -0400" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "rpcsvc-proto", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "rpcsvc-proto", "source_package_version": "1.4.3-1build1", "version": "1.4.3-1build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "rpcsvc-proto", "version": "1.4.3-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:38:21 +0100" }, { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream version.", " * Update debian/copyright.", " * Bump Standards-Version to 4.6.1 (no changes).", "", " [ Helmut Grohne ]", " * Fix FTCBFS: Run the installed rpcgen during cross builds. Closes:", " #1025148)", "" ], "package": "rpcsvc-proto", "version": "1.4.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 02 Dec 2022 22:30:20 +0100" }, { "cves": [], "log": [ "", " * Bump the breaks + replace version to 2.31-14. Thanks to Simon McVittie for", " the hint. Closes: #983910.", " * Bump Standards-Version to 4.6.0 (no changes).", "" ], "package": "rpcsvc-proto", "version": "1.4.2-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Wed, 18 Aug 2021 22:04:55 +0200" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "cryptsetup-initramfs", "from_version": { "source_package_name": "cryptsetup", "source_package_version": "2:2.8.4-1ubuntu1", "version": "2:2.8.4-1ubuntu1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "initramfs-tools", "from_version": { "source_package_name": "initramfs-tools", "source_package_version": "0.150ubuntu7", "version": "0.150ubuntu7" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "libarchive13t64:armhf", "from_version": { "source_package_name": "libarchive", "source_package_version": "3.7.7-0ubuntu3", "version": "3.7.7-0ubuntu3" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "libgpgme11t64:armhf", "from_version": { "source_package_name": "gpgme1.0", "source_package_version": "1.24.2-3ubuntu2", "version": "1.24.2-3ubuntu2" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "libnvme1t64", "from_version": { "source_package_name": "libnvme", "source_package_version": "1.16.1-2", "version": "1.16.1-2" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "libprotobuf-c1:armhf", "from_version": { "source_package_name": "protobuf-c", "source_package_version": "1.5.1-1ubuntu2", "version": "1.5.1-1ubuntu2" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-6.19.0-6", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-6.19.0-6-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-6.19.0-6-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.19.0-6-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-6.19.0-6", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-6.19.0-6-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.19.0-6.6", "version": "6.19.0-6.6" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-gdbm", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.04 resolute image from daily image serial 20260221 to 20260328", "from_series": "resolute", "to_series": "resolute", "from_serial": "20260221", "to_serial": "20260328", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }