{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.14.0-35-generic", "linux-modules-6.14.0-35-generic" ], "removed": [ "linux-image-6.14.0-34-generic", "linux-modules-6.14.0-34-generic" ], "diff": [ "linux-image-virtual" ] } }, "diff": { "deb": [ { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-34.34", "version": "6.14.0-34.34" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-35.35", "version": "6.14.0-35.35" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-35.35", "" ], "package": "linux-meta", "version": "6.14.0-35.35", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 10 Oct 2025 22:26:05 +0200" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.14.0-35-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-34.34", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-35.35", "version": "6.14.0-35.35" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-35.35", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-35.35", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 10 Oct 2025 22:26:14 +0200" } ], "notes": "linux-image-6.14.0-35-generic version '6.14.0-35.35' (source package linux-signed version '6.14.0-35.35') was added. linux-image-6.14.0-35-generic version '6.14.0-35.35' has the same source package name, linux-signed, as removed package linux-image-6.14.0-34-generic. As such we can use the source package version of the removed package, '6.14.0-34.34', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-35-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-34.34", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.14.0-35.35", "version": "6.14.0-35.35" }, "cves": [ { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2127468, 2124105, 2124105 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-35.35 -proposed tracker (LP: #2127468)", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300", " - Documentation/hw-vuln: Add VMSCAPE documentation", " - x86/vmscape: Enumerate VMSCAPE bug", " - x86/vmscape: Add conditional IBPB mitigation", " - x86/vmscape: Enable the mitigation", " - x86/bugs: Move cpu_bugs_smt_update() down", " - x86/vmscape: Warn when STIBP is disabled with SMT", " - x86/vmscape: Add old Intel CPUs to affected list", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105)", " - [Config] Enable MITIGATION_VMSCAPE config", "" ], "package": "linux", "version": "6.14.0-35.35", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2127468, 2124105, 2124105 ], "author": "Manuel Diewald ", "date": "Fri, 10 Oct 2025 21:09:58 +0200" } ], "notes": "linux-modules-6.14.0-35-generic version '6.14.0-35.35' (source package linux version '6.14.0-35.35') was added. linux-modules-6.14.0-35-generic version '6.14.0-35.35' has the same source package name, linux, as removed package linux-modules-6.14.0-34-generic. As such we can use the source package version of the removed package, '6.14.0-34.34', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.14.0-34-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-34.34", "version": "6.14.0-34.34" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-34-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-34.34", "version": "6.14.0-34.34" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.04 plucky image from daily image serial 20251021 to 20251030", "from_series": "plucky", "to_series": "plucky", "from_serial": "20251021", "to_serial": "20251030", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }