{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "curl", "libcurl4t64", "libfreetype6", "libpython3.12-minimal", "libpython3.12-stdlib", "linux-base", "python3.12", "python3.12-minimal" ] } }, "diff": { "deb": [ { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.7", "version": "8.5.0-2ubuntu10.7" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.8", "version": "8.5.0-2ubuntu10.8" }, "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2025-0167", "url": "https://ubuntu.com/security/CVE-2025-0167", "cve_description": "When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.", "cve_priority": "low", "cve_public_date": "2025-02-05 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2025-0167", "url": "https://ubuntu.com/security/CVE-2025-0167", "cve_description": "When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.", "cve_priority": "low", "cve_public_date": "2025-02-05 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: bad reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using", " HTTP Negotiate in lib/url.c.", " - debian/patches/CVE-2026-1965-2.patch: fix copy and paste", " url_match_auth_nego mistake in lib/url.c.", " - CVE-2026-1965", " * SECURITY UPDATE: token leak with redirect and netrc", " - debian/patches/CVE-2026-3783.patch: only send bearer if auth is", " allowed in lib/http.c, tests/data/Makefile.inc, tests/data/test2006.", " - CVE-2026-3783", " * SECURITY UPDATE: wrong proxy connection reuse with credentials", " - debian/patches/CVE-2026-3784.patch: add additional tests in", " lib/url.c.", " - CVE-2026-3784", " * SECURITY UPDATE: netrc and default credential leak", " - debian/patches/CVE-2025-0167.patch: 'default' with no credentials is", " not a match in lib/netrc.c, tests/data/Makefile.inc,", " tests/data/test486.", " - CVE-2025-0167", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 10 Mar 2026 10:42:35 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4t64", "from_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.7", "version": "8.5.0-2ubuntu10.7" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.5.0-2ubuntu10.8", "version": "8.5.0-2ubuntu10.8" }, "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2025-0167", "url": "https://ubuntu.com/security/CVE-2025-0167", "cve_description": "When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.", "cve_priority": "low", "cve_public_date": "2025-02-05 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-1965", "url": "https://ubuntu.com/security/CVE-2026-1965", "cve_description": "libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3783", "url": "https://ubuntu.com/security/CVE-2026-3783", "cve_description": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl cwould leak that token to the second hostname under some circumstances.", "cve_priority": "medium", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2026-3784", "url": "https://ubuntu.com/security/CVE-2026-3784", "cve_description": "", "cve_priority": "low", "cve_public_date": "2026-03-11 18:00:00 UTC" }, { "cve": "CVE-2025-0167", "url": "https://ubuntu.com/security/CVE-2025-0167", "cve_description": "When asked to use a `.netrc` file for credentials **and** to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a `default` entry that omits both login and password. A rare circumstance.", "cve_priority": "low", "cve_public_date": "2025-02-05 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: bad reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-1965-1.patch: fix reuse of connections using", " HTTP Negotiate in lib/url.c.", " - debian/patches/CVE-2026-1965-2.patch: fix copy and paste", " url_match_auth_nego mistake in lib/url.c.", " - CVE-2026-1965", " * SECURITY UPDATE: token leak with redirect and netrc", " - debian/patches/CVE-2026-3783.patch: only send bearer if auth is", " allowed in lib/http.c, tests/data/Makefile.inc, tests/data/test2006.", " - CVE-2026-3783", " * SECURITY UPDATE: wrong proxy connection reuse with credentials", " - debian/patches/CVE-2026-3784.patch: add additional tests in", " lib/url.c.", " - CVE-2026-3784", " * SECURITY UPDATE: netrc and default credential leak", " - debian/patches/CVE-2025-0167.patch: 'default' with no credentials is", " not a match in lib/netrc.c, tests/data/Makefile.inc,", " tests/data/test486.", " - CVE-2025-0167", "" ], "package": "curl", "version": "8.5.0-2ubuntu10.8", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 10 Mar 2026 10:42:35 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfreetype6", "from_version": { "source_package_name": "freetype", "source_package_version": "2.13.2+dfsg-1build3", "version": "2.13.2+dfsg-1build3" }, "to_version": { "source_package_name": "freetype", "source_package_version": "2.13.2+dfsg-1ubuntu0.1", "version": "2.13.2+dfsg-1ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-23865", "url": "https://ubuntu.com/security/CVE-2026-23865", "cve_description": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.", "cve_priority": "medium", "cve_public_date": "2026-03-02 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-23865", "url": "https://ubuntu.com/security/CVE-2026-23865", "cve_description": "An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.", "cve_priority": "medium", "cve_public_date": "2026-03-02 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer Overflow", " - debian/patches/CVE-2026-23865.patch: Check for overflow in array", " size computation", " - CVE-2026-23865", "" ], "package": "freetype", "version": "2.13.2+dfsg-1ubuntu0.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Tue, 10 Mar 2026 17:40:24 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.11", "version": "3.12.3-1ubuntu0.11" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.12", "version": "3.12.3-1ubuntu0.12" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.12", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:45:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-stdlib", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.11", "version": "3.12.3-1ubuntu0.11" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.12", "version": "3.12.3-1ubuntu0.12" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.12", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:45:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-base", "from_version": { "source_package_name": "linux-base", "source_package_version": "4.5ubuntu9+24.04.1", "version": "4.5ubuntu9+24.04.1" }, "to_version": { "source_package_name": "linux-base", "source_package_version": "4.5ubuntu9+24.04.2", "version": "4.5ubuntu9+24.04.2" }, "cves": [], "launchpad_bugs_fixed": [ 2141393 ], "changes": [ { "cves": [], "log": [ "", " * Add missing Apport links for HWE (and other new) kernel packages", " (LP: #2141393).", "" ], "package": "linux-base", "version": "4.5ubuntu9+24.04.2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2141393 ], "author": "Juerg Haefliger ", "date": "Mon, 23 Feb 2026 10:52:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.11", "version": "3.12.3-1ubuntu0.11" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.12", "version": "3.12.3-1ubuntu0.12" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.12", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:45:18 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.11", "version": "3.12.3-1ubuntu0.11" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.12", "version": "3.12.3-1ubuntu0.12" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.12", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:45:18 +0530" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20260304 to 20260312", "from_series": "noble", "to_series": "noble", "from_serial": "20260304", "to_serial": "20260312", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }