{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-6.8.0-94", "linux-headers-6.8.0-94-generic", "linux-image-6.8.0-94-generic", "linux-modules-6.8.0-94-generic", "linux-tools-6.8.0-94", "linux-tools-6.8.0-94-generic" ], "removed": [ "linux-headers-6.8.0-90", "linux-headers-6.8.0-90-generic", "linux-image-6.8.0-90-generic", "linux-modules-6.8.0-90-generic", "linux-tools-6.8.0-90", "linux-tools-6.8.0-90-generic" ], "diff": [ "bsdextrautils", "bsdutils", "dirmngr", "eject", "fdisk", "fwupd", "gir1.2-glib-2.0", "gnupg", "gnupg-l10n", "gnupg-utils", "gpg", "gpg-agent", "gpg-wks-client", "gpgconf", "gpgsm", "gpgv", "keyboxd", "klibc-utils", "kpartx", "libblkid1", "libdrm-common", "libdrm2", "libfdisk1", "libfwupd2", "libglib2.0-0t64", "libglib2.0-bin", "libglib2.0-data", "libheif-plugin-aomdec", "libheif-plugin-aomenc", "libheif-plugin-libde265", "libheif1", "libklibc", "libmbim-glib4", "libmbim-proxy", "libmbim-utils", "libmount1", "libnss-systemd", "libnuma1", "libpam-systemd", "libpng16-16t64", "libpython3.12-minimal", "libpython3.12-stdlib", "libpython3.12t64", "libsmartcols1", "libsodium23", "libssl3t64", "libsystemd-shared", "libsystemd0", "libtasn1-6", "libudev1", "libuuid1", "libxml2", "libxslt1.1", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-libc-dev", "linux-tools-common", "linux-virtual", "mount", "multipath-tools", "numactl", "openssl", "python3-distupgrade", "python3-pyasn1", "python3-urllib3", "python3.12", "python3.12-minimal", "screen", "snapd", "systemd", "systemd-dev", "systemd-resolved", "systemd-sysv", "systemd-timesyncd", "ubuntu-release-upgrader-core", "udev", "util-linux", "uuid-runtime" ] } }, "diff": { "deb": [ { "name": "bsdextrautils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "1:2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "1:2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "dirmngr", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "eject", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "fwupd", "from_version": { "source_package_name": "fwupd", "source_package_version": "1.9.31-0ubuntu1~24.04.1", "version": "1.9.31-0ubuntu1~24.04.1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "1.9.33-0ubuntu1~24.04.1ubuntu1", "version": "1.9.33-0ubuntu1~24.04.1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2131001 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (1.9.31)", " - Add PS5512 usb firmware update (LP: #2131001)", "" ], "package": "fwupd", "version": "1.9.33-0ubuntu1~24.04.1ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2131001 ], "author": "Mario Limonciello ", "date": "Sun, 30 Nov 2025 07:12:14 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-glib-2.0", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.7", "version": "2.80.0-6ubuntu3.7" }, "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" }, { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()", " - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow", " in peek() in gio/gbufferedinputstream.c,", " gio/tests/buffered-input-stream.c.", " - CVE-2026-0988", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 08:08:27 -0500" }, { "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp", " - debian/patches/CVE-2025-3360-1.patch: fix integer overflow when", " parsing very long ISO8601 inputs in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow", " in timezone offset handling in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-3.patch: track timezone length as an", " unsigned size_t in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-4.patch: factor out some string pointer", " arithmetic in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-5.patch: factor out an undersized", " variable in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime", " ISO8601 parsing tests in glib/tests/gdatetime.c.", " - CVE-2025-3360", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:51:22 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg-l10n", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg-utils", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg-agent", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg-wks-client", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgconf", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgsm", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgv", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "keyboxd", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.3", "version": "2.4.4-2ubuntu17.3" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu17.4", "version": "2.4.4-2ubuntu17.4" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu17.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 22:01:39 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "klibc-utils", "from_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-4ubuntu0.1", "version": "2.0.13-4ubuntu0.1" }, "to_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-4ubuntu0.2", "version": "2.0.13-4ubuntu0.2" }, "cves": [ { "cve": "CVE-2016-9843", "url": "https://ubuntu.com/security/CVE-2016-9843", "cve_description": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2016-9843", "url": "https://ubuntu.com/security/CVE-2016-9843", "cve_description": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Undefined Behavior", " - debian/patches/CVE-2016-9843.patch: Avoid pre-decrement of pointer", " in big-endian CRC calculation.", " - CVE-2016-9843", "" ], "package": "klibc", "version": "2.0.13-4ubuntu0.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 12 Jan 2026 13:55:06 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "kpartx", "from_version": { "source_package_name": "multipath-tools", "source_package_version": "0.9.4-5ubuntu8", "version": "0.9.4-5ubuntu8" }, "to_version": { "source_package_name": "multipath-tools", "source_package_version": "0.9.4-5ubuntu8.1", "version": "0.9.4-5ubuntu8.1" }, "cves": [], "launchpad_bugs_fixed": [ 2116901 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0005-hpe-msa-gen7-support.patch: add support for HPE MSA gen7 arrays", " (LP: #2116901)", "" ], "package": "multipath-tools", "version": "0.9.4-5ubuntu8.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2116901 ], "author": "Jonas Jelten ", "date": "Tue, 22 Jul 2025 17:44:15 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libblkid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdrm-common", "from_version": { "source_package_name": "libdrm", "source_package_version": "2.4.122-1~ubuntu0.24.04.2", "version": "2.4.122-1~ubuntu0.24.04.2" }, "to_version": { "source_package_name": "libdrm", "source_package_version": "2.4.125-1ubuntu0.1~24.04.1", "version": "2.4.125-1ubuntu0.1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2126037, 2127944, 2104352, 2100483 ], "changes": [ { "cves": [], "log": [ "", " * Backport to noble. (LP: #2126037)", " - amdgpu-add-env-support-for-amdgpu-ids.patch dropped as it has", " changed on the upstream merge request and hasn't landed yet", "" ], "package": "libdrm", "version": "2.4.125-1ubuntu0.1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2126037 ], "author": "Timo Aaltonen ", "date": "Fri, 07 Nov 2025 14:50:51 +0200" }, { "cves": [], "log": [ "", " * patches: Identify APUs from hardware (LP: #2127944)", "" ], "package": "libdrm", "version": "2.4.125-1ubuntu0.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2127944 ], "author": "Timo Aaltonen ", "date": "Fri, 24 Oct 2025 17:43:46 +0300" }, { "cves": [], "log": [ "", " [ Jianfeng Liu ]", " * Enable build libdrm-intel1 for loong64. (Closes: #1107223)", "", " [ Timo Aaltonen ]", " * New upstream release.", " * patches: Drop the upstreamed fix for xf86drm.", " * symbols: Updated.", "" ], "package": "libdrm", "version": "2.4.125-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Wed, 25 Jun 2025 10:46:34 +0300" }, { "cves": [], "log": [ "", " [ Daniel van Vugt ]", " * Add xf86drm-Handle-NULL-in-drmCopyVersion.patch (LP: #2104352)", "", " [ Bo YU ]", " * Enable building libdrm-intel1 for riscv64 (Closes: #1085314)", "" ], "package": "libdrm", "version": "2.4.124-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2104352 ], "author": "Timo Aaltonen ", "date": "Tue, 01 Apr 2025 11:08:19 +0300" }, { "cves": [], "log": [ "", " * New upstream release.", " * amdgpu-add-env-support-for-amdgpu-ids.patch: Add a patch to allow", " using an env variable for amdgpu.ids path. (LP: #2100483)", "" ], "package": "libdrm", "version": "2.4.124-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2100483 ], "author": "Timo Aaltonen ", "date": "Thu, 27 Feb 2025 14:57:25 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Add upstream metadata, drop old git url from d/watch.", " * Update signing-key.asc.", "" ], "package": "libdrm", "version": "2.4.123-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Tue, 10 Sep 2024 11:03:50 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdrm2", "from_version": { "source_package_name": "libdrm", "source_package_version": "2.4.122-1~ubuntu0.24.04.2", "version": "2.4.122-1~ubuntu0.24.04.2" }, "to_version": { "source_package_name": "libdrm", "source_package_version": "2.4.125-1ubuntu0.1~24.04.1", "version": "2.4.125-1ubuntu0.1~24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2126037, 2127944, 2104352, 2100483 ], "changes": [ { "cves": [], "log": [ "", " * Backport to noble. (LP: #2126037)", " - amdgpu-add-env-support-for-amdgpu-ids.patch dropped as it has", " changed on the upstream merge request and hasn't landed yet", "" ], "package": "libdrm", "version": "2.4.125-1ubuntu0.1~24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2126037 ], "author": "Timo Aaltonen ", "date": "Fri, 07 Nov 2025 14:50:51 +0200" }, { "cves": [], "log": [ "", " * patches: Identify APUs from hardware (LP: #2127944)", "" ], "package": "libdrm", "version": "2.4.125-1ubuntu0.1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2127944 ], "author": "Timo Aaltonen ", "date": "Fri, 24 Oct 2025 17:43:46 +0300" }, { "cves": [], "log": [ "", " [ Jianfeng Liu ]", " * Enable build libdrm-intel1 for loong64. (Closes: #1107223)", "", " [ Timo Aaltonen ]", " * New upstream release.", " * patches: Drop the upstreamed fix for xf86drm.", " * symbols: Updated.", "" ], "package": "libdrm", "version": "2.4.125-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Wed, 25 Jun 2025 10:46:34 +0300" }, { "cves": [], "log": [ "", " [ Daniel van Vugt ]", " * Add xf86drm-Handle-NULL-in-drmCopyVersion.patch (LP: #2104352)", "", " [ Bo YU ]", " * Enable building libdrm-intel1 for riscv64 (Closes: #1085314)", "" ], "package": "libdrm", "version": "2.4.124-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2104352 ], "author": "Timo Aaltonen ", "date": "Tue, 01 Apr 2025 11:08:19 +0300" }, { "cves": [], "log": [ "", " * New upstream release.", " * amdgpu-add-env-support-for-amdgpu-ids.patch: Add a patch to allow", " using an env variable for amdgpu.ids path. (LP: #2100483)", "" ], "package": "libdrm", "version": "2.4.124-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2100483 ], "author": "Timo Aaltonen ", "date": "Thu, 27 Feb 2025 14:57:25 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Add upstream metadata, drop old git url from d/watch.", " * Update signing-key.asc.", "" ], "package": "libdrm", "version": "2.4.123-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Tue, 10 Sep 2024 11:03:50 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdisk1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfwupd2", "from_version": { "source_package_name": "fwupd", "source_package_version": "1.9.31-0ubuntu1~24.04.1", "version": "1.9.31-0ubuntu1~24.04.1" }, "to_version": { "source_package_name": "fwupd", "source_package_version": "1.9.33-0ubuntu1~24.04.1ubuntu1", "version": "1.9.33-0ubuntu1~24.04.1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2131001 ], "changes": [ { "cves": [], "log": [ "", " * New upstream version (1.9.31)", " - Add PS5512 usb firmware update (LP: #2131001)", "" ], "package": "fwupd", "version": "1.9.33-0ubuntu1~24.04.1ubuntu1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2131001 ], "author": "Mario Limonciello ", "date": "Sun, 30 Nov 2025 07:12:14 -0600" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0t64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.7", "version": "2.80.0-6ubuntu3.7" }, "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" }, { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()", " - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow", " in peek() in gio/gbufferedinputstream.c,", " gio/tests/buffered-input-stream.c.", " - CVE-2026-0988", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 08:08:27 -0500" }, { "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp", " - debian/patches/CVE-2025-3360-1.patch: fix integer overflow when", " parsing very long ISO8601 inputs in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow", " in timezone offset handling in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-3.patch: track timezone length as an", " unsigned size_t in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-4.patch: factor out some string pointer", " arithmetic in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-5.patch: factor out an undersized", " variable in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime", " ISO8601 parsing tests in glib/tests/gdatetime.c.", " - CVE-2025-3360", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:51:22 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.7", "version": "2.80.0-6ubuntu3.7" }, "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" }, { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()", " - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow", " in peek() in gio/gbufferedinputstream.c,", " gio/tests/buffered-input-stream.c.", " - CVE-2026-0988", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 08:08:27 -0500" }, { "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp", " - debian/patches/CVE-2025-3360-1.patch: fix integer overflow when", " parsing very long ISO8601 inputs in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow", " in timezone offset handling in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-3.patch: track timezone length as an", " unsigned size_t in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-4.patch: factor out some string pointer", " arithmetic in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-5.patch: factor out an undersized", " variable in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime", " ISO8601 parsing tests in glib/tests/gdatetime.c.", " - CVE-2025-3360", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:51:22 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.5", "version": "2.80.0-6ubuntu3.5" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.80.0-6ubuntu3.7", "version": "2.80.0-6ubuntu3.7" }, "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" }, { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0988", "url": "https://ubuntu.com/security/CVE-2026-0988", "cve_description": "A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).", "cve_priority": "medium", "cve_public_date": "2026-01-21 12:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()", " - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow", " in peek() in gio/gbufferedinputstream.c,", " gio/tests/buffered-input-stream.c.", " - CVE-2026-0988", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 08:08:27 -0500" }, { "cves": [ { "cve": "CVE-2025-3360", "url": "https://ubuntu.com/security/CVE-2025-3360", "cve_description": "A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.", "cve_priority": "low", "cve_public_date": "2025-04-07 13:15:00 UTC" }, { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp", " - debian/patches/CVE-2025-3360-1.patch: fix integer overflow when", " parsing very long ISO8601 inputs in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow", " in timezone offset handling in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-3.patch: track timezone length as an", " unsigned size_t in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-4.patch: factor out some string pointer", " arithmetic in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-5.patch: factor out an undersized", " variable in glib/gdatetime.c.", " - debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime", " ISO8601 parsing tests in glib/tests/gdatetime.c.", " - CVE-2025-3360", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.80.0-6ubuntu3.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:51:22 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libheif-plugin-aomdec", "from_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.1", "version": "1.17.6-1ubuntu4.1" }, "to_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.2", "version": "1.17.6-1ubuntu4.2" }, "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2024-25269.patch: Fix memory leaks in function", " JpegEncoder::Encode", " - CVE-2024-25269", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2025-68431.patch: Fix wrong copy width in", " overlay images, thanks to Aldo Ristori", " - CVE-2025-68431", "" ], "package": "libheif", "version": "1.17.6-1ubuntu4.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 07 Jan 2026 17:41:16 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libheif-plugin-aomenc", "from_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.1", "version": "1.17.6-1ubuntu4.1" }, "to_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.2", "version": "1.17.6-1ubuntu4.2" }, "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2024-25269.patch: Fix memory leaks in function", " JpegEncoder::Encode", " - CVE-2024-25269", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2025-68431.patch: Fix wrong copy width in", " overlay images, thanks to Aldo Ristori", " - CVE-2025-68431", "" ], "package": "libheif", "version": "1.17.6-1ubuntu4.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 07 Jan 2026 17:41:16 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libheif-plugin-libde265", "from_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.1", "version": "1.17.6-1ubuntu4.1" }, "to_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.2", "version": "1.17.6-1ubuntu4.2" }, "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2024-25269.patch: Fix memory leaks in function", " JpegEncoder::Encode", " - CVE-2024-25269", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2025-68431.patch: Fix wrong copy width in", " overlay images, thanks to Aldo Ristori", " - CVE-2025-68431", "" ], "package": "libheif", "version": "1.17.6-1ubuntu4.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 07 Jan 2026 17:41:16 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libheif1", "from_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.1", "version": "1.17.6-1ubuntu4.1" }, "to_version": { "source_package_name": "libheif", "source_package_version": "1.17.6-1ubuntu4.2", "version": "1.17.6-1ubuntu4.2" }, "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-25269", "url": "https://ubuntu.com/security/CVE-2024-25269", "cve_description": "libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.", "cve_priority": "negligible", "cve_public_date": "2024-03-05 01:15:00 UTC" }, { "cve": "CVE-2025-68431", "url": "https://ubuntu.com/security/CVE-2025-68431", "cve_description": "libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in `HeifPixelImage::overlay()`. The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to `size_t` and is passed to `memcpy`, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using `iovl` overlay boxes.", "cve_priority": "medium", "cve_public_date": "2025-12-29 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2024-25269.patch: Fix memory leaks in function", " JpegEncoder::Encode", " - CVE-2024-25269", " * SECURITY UPDATE: Buffer Overflow", " - debian/patches/CVE-2025-68431.patch: Fix wrong copy width in", " overlay images, thanks to Aldo Ristori", " - CVE-2025-68431", "" ], "package": "libheif", "version": "1.17.6-1ubuntu4.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Wed, 07 Jan 2026 17:41:16 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libklibc", "from_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-4ubuntu0.1", "version": "2.0.13-4ubuntu0.1" }, "to_version": { "source_package_name": "klibc", "source_package_version": "2.0.13-4ubuntu0.2", "version": "2.0.13-4ubuntu0.2" }, "cves": [ { "cve": "CVE-2016-9843", "url": "https://ubuntu.com/security/CVE-2016-9843", "cve_description": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2016-9843", "url": "https://ubuntu.com/security/CVE-2016-9843", "cve_description": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.", "cve_priority": "low", "cve_public_date": "2017-05-23 04:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Undefined Behavior", " - debian/patches/CVE-2016-9843.patch: Avoid pre-decrement of pointer", " in big-endian CRC calculation.", " - CVE-2016-9843", "" ], "package": "klibc", "version": "2.0.13-4ubuntu0.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 12 Jan 2026 13:55:06 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmbim-glib4", "from_version": { "source_package_name": "libmbim", "source_package_version": "1.31.2-0ubuntu3", "version": "1.31.2-0ubuntu3" }, "to_version": { "source_package_name": "libmbim", "source_package_version": "1.31.2-0ubuntu3.1", "version": "1.31.2-0ubuntu3.1" }, "cves": [], "launchpad_bugs_fixed": [ 2121842 ], "changes": [ { "cves": [], "log": [ "", " * Add Intel mbim service to send AT command (LP: #2121842)", "" ], "package": "libmbim", "version": "1.31.2-0ubuntu3.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2121842 ], "author": "Dirk Su ", "date": "Thu, 09 Oct 2025 15:32:21 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmbim-proxy", "from_version": { "source_package_name": "libmbim", "source_package_version": "1.31.2-0ubuntu3", "version": "1.31.2-0ubuntu3" }, "to_version": { "source_package_name": "libmbim", "source_package_version": "1.31.2-0ubuntu3.1", "version": "1.31.2-0ubuntu3.1" }, "cves": [], "launchpad_bugs_fixed": [ 2121842 ], "changes": [ { "cves": [], "log": [ "", " * Add Intel mbim service to send AT command (LP: #2121842)", "" ], "package": "libmbim", "version": "1.31.2-0ubuntu3.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2121842 ], "author": "Dirk Su ", "date": "Thu, 09 Oct 2025 15:32:21 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmbim-utils", "from_version": { "source_package_name": "libmbim", "source_package_version": "1.31.2-0ubuntu3", "version": "1.31.2-0ubuntu3" }, "to_version": { "source_package_name": "libmbim", "source_package_version": "1.31.2-0ubuntu3.1", "version": "1.31.2-0ubuntu3.1" }, "cves": [], "launchpad_bugs_fixed": [ 2121842 ], "changes": [ { "cves": [], "log": [ "", " * Add Intel mbim service to send AT command (LP: #2121842)", "" ], "package": "libmbim", "version": "1.31.2-0ubuntu3.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2121842 ], "author": "Dirk Su ", "date": "Thu, 09 Oct 2025 15:32:21 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmount1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnss-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnuma1", "from_version": { "source_package_name": "numactl", "source_package_version": "2.0.18-1build1", "version": "2.0.18-1build1" }, "to_version": { "source_package_name": "numactl", "source_package_version": "2.0.18-1ubuntu0.24.04.1", "version": "2.0.18-1ubuntu0.24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2136104 ], "changes": [ { "cves": [], "log": [ "", " * d/p/fix-stray-errno.patch: save and restore errno when probing for", " SET_PREFERRED_MANY (LP: #2136104)", "" ], "package": "numactl", "version": "2.0.18-1ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2136104 ], "author": "Renan Rodrigo ", "date": "Fri, 09 Jan 2026 10:36:33 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.43-5ubuntu0.1", "version": "1.6.43-5ubuntu0.1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.43-5ubuntu0.3", "version": "1.6.43-5ubuntu0.3" }, "cves": [ { "cve": "CVE-2025-66293", "url": "https://ubuntu.com/security/CVE-2025-66293", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.", "cve_priority": "medium", "cve_public_date": "2025-12-03 21:15:00 UTC" }, { "cve": "CVE-2026-22695", "url": "https://ubuntu.com/security/CVE-2026-22695", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" }, { "cve": "CVE-2026-22801", "url": "https://ubuntu.com/security/CVE-2026-22801", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-66293", "url": "https://ubuntu.com/security/CVE-2025-66293", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.", "cve_priority": "medium", "cve_public_date": "2025-12-03 21:15:00 UTC" }, { "cve": "CVE-2026-22695", "url": "https://ubuntu.com/security/CVE-2026-22695", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" }, { "cve": "CVE-2026-22801", "url": "https://ubuntu.com/security/CVE-2026-22801", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.", "cve_priority": "medium", "cve_public_date": "2026-01-12 23:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OOB in png_image_read_composite", " - debian/patches/CVE-2025-66293-1.patch: validate component size in", " pngread.c.", " - debian/patches/CVE-2025-66293-2.patch: improve fix in pngread.c.", " - CVE-2025-66293", " * SECURITY UPDATE: Heap buffer over-read in png_image_read_direct_scaled", " - debian/patches/CVE-2026-22695.patch: fix memcpy size in pngread.c.", " - CVE-2026-22695", " * SECURITY UPDATE: Integer truncation causing heap buffer over-read", " - debian/patches/CVE-2026-22801.patch: remove incorrect truncation", " casts in CMakeLists.txt, contrib/libtests/pngstest.c, pngwrite.c,", " tests/pngstest-large-stride.", " - CVE-2026-22801", "" ], "package": "libpng1.6", "version": "1.6.43-5ubuntu0.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 12 Jan 2026 13:14:03 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.10", "version": "3.12.3-1ubuntu0.10" }, "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTTP Content-Length denial of service", " - debian/patches/CVE-2025-13836.patch: Read large data in chunks with", " geometric reads in Lib/http/client.py and add tests in ", " Lib/test/test_httplib.py", " - CVE-2025-13836", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.10", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 08 Jan 2026 17:00:50 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12-stdlib", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.10", "version": "3.12.3-1ubuntu0.10" }, "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTTP Content-Length denial of service", " - debian/patches/CVE-2025-13836.patch: Read large data in chunks with", " geometric reads in Lib/http/client.py and add tests in ", " Lib/test/test_httplib.py", " - CVE-2025-13836", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.10", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 08 Jan 2026 17:00:50 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.12t64", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.10", "version": "3.12.3-1ubuntu0.10" }, "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTTP Content-Length denial of service", " - debian/patches/CVE-2025-13836.patch: Read large data in chunks with", " geometric reads in Lib/http/client.py and add tests in ", " Lib/test/test_httplib.py", " - CVE-2025-13836", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.10", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 08 Jan 2026 17:00:50 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsmartcols1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsodium23", "from_version": { "source_package_name": "libsodium", "source_package_version": "1.0.18-1build3", "version": "1.0.18-1build3" }, "to_version": { "source_package_name": "libsodium", "source_package_version": "1.0.18-1ubuntu0.24.04.1", "version": "1.0.18-1ubuntu0.24.04.1" }, "cves": [ { "cve": "CVE-2025-69277", "url": "https://ubuntu.com/security/CVE-2025-69277", "cve_description": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.", "cve_priority": "medium", "cve_public_date": "2025-12-31 06:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-69277", "url": "https://ubuntu.com/security/CVE-2025-69277", "cve_description": "libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group.", "cve_priority": "medium", "cve_public_date": "2025-12-31 06:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: mishandled check in crypto_core_ed25519_is_valid_point", " - debian/patches/CVE-2025-69277.patch: check Y==Z in addition to X==0", " in src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c,", " test/default/core_ed25519.c.", " - CVE-2025-69277", "" ], "package": "libsodium", "version": "1.0.18-1ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 06 Jan 2026 11:06:40 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3t64", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.6", "version": "3.0.13-0ubuntu3.6" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.7", "version": "3.0.13-0ubuntu3.7" }, "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Stack buffer overflow in CMS AuthEnvelopedData parsing", " - debian/patches/CVE-2025-15467-1.patch: correct handling of", " AEAD-encrypted CMS with inadmissibly long IV in crypto/evp/evp_lib.c.", " - debian/patches/CVE-2025-15467-2.patch: some comments to clarify", " functions usage in crypto/asn1/evp_asn1.c.", " - debian/patches/CVE-2025-15467-3.patch: test for handling of", " AEAD-encrypted CMS with inadmissibly long IV in test/cmsapitest.c,", " test/recipes/80-test_cmsapi.t,", " test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem.", " - CVE-2025-15467", " * SECURITY UPDATE: Heap out-of-bounds write in BIO_f_linebuffer on short", " writes", " - debian/patches/CVE-2025-68160.patch: fix heap buffer overflow in", " BIO_f_linebuffer in crypto/bio/bf_lbuf.c.", " - CVE-2025-68160", " * SECURITY UPDATE: Unauthenticated/unencrypted trailing bytes with", " low-level OCB function calls", " - debian/patches/CVE-2025-69418.patch: fix OCB AES-NI/HW stream path", " unauthenticated/unencrypted trailing bytes in crypto/modes/ocb128.c.", " - CVE-2025-69418", " * SECURITY UPDATE: Out of bounds write in PKCS12_get_friendlyname() UTF-8", " conversion", " - debian/patches/CVE-2025-69419.patch: check return code of UTF8_putc", " in crypto/asn1/a_strex.c, crypto/pkcs12/p12_utl.c.", " - CVE-2025-69419", " * SECURITY UPDATE: Missing ASN1_TYPE validation in", " TS_RESP_verify_response() function", " - debian/patches/CVE-2025-69420.patch: verify ASN1 object's types", " before attempting to access them as a particular type in", " crypto/ts/ts_rsp_verify.c.", " - CVE-2025-69420", " * SECURITY UPDATE: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex", " - debian/patches/CVE-2025-69421.patch: add NULL check in", " crypto/pkcs12/p12_decr.c.", " - CVE-2025-69421", " * SECURITY UPDATE: ASN1_TYPE missing validation and type confusion", " - debian/patches/CVE-2026-2279x.patch: ensure ASN1 types are checked", " before use in apps/s_client.c, crypto/pkcs12/p12_kiss.c,", " crypto/pkcs7/pk7_doit.c.", " - CVE-2026-22795", " - CVE-2026-22796", "" ], "package": "openssl", "version": "3.0.13-0ubuntu3.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 26 Jan 2026 07:31:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtasn1-6", "from_version": { "source_package_name": "libtasn1-6", "source_package_version": "4.19.0-3ubuntu0.24.04.1", "version": "4.19.0-3ubuntu0.24.04.1" }, "to_version": { "source_package_name": "libtasn1-6", "source_package_version": "4.19.0-3ubuntu0.24.04.2", "version": "4.19.0-3ubuntu0.24.04.2" }, "cves": [ { "cve": "CVE-2025-13151", "url": "https://ubuntu.com/security/CVE-2025-13151", "cve_description": "Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-13151", "url": "https://ubuntu.com/security/CVE-2025-13151", "cve_description": "Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Stack-based buffer overflow", " - debian/patches/CVE-2025-13151.patch: fix asn1_expand_octet_string", " buffer size in lib/decoding.c.", " - CVE-2025-13151", "" ], "package": "libtasn1-6", "version": "4.19.0-3ubuntu0.24.04.2", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 08 Jan 2026 12:24:41 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libuuid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxml2", "from_version": { "source_package_name": "libxml2", "source_package_version": "2.9.14+dfsg-1.3ubuntu3.6", "version": "2.9.14+dfsg-1.3ubuntu3.6" }, "to_version": { "source_package_name": "libxml2", "source_package_version": "2.9.14+dfsg-1.3ubuntu3.7", "version": "2.9.14+dfsg-1.3ubuntu3.7" }, "cves": [ { "cve": "CVE-2025-8732", "url": "https://ubuntu.com/security/CVE-2025-8732", "cve_description": "A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"", "cve_priority": "low", "cve_public_date": "2025-08-08 17:15:00 UTC" }, { "cve": "CVE-2026-0989", "url": "https://ubuntu.com/security/CVE-2026-0989", "cve_description": "A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0990", "url": "https://ubuntu.com/security/CVE-2026-0990", "cve_description": "A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0992", "url": "https://ubuntu.com/security/CVE-2026-0992", "cve_description": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8732", "url": "https://ubuntu.com/security/CVE-2025-8732", "cve_description": "A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that \"[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all.\"", "cve_priority": "low", "cve_public_date": "2025-08-08 17:15:00 UTC" }, { "cve": "CVE-2026-0989", "url": "https://ubuntu.com/security/CVE-2026-0989", "cve_description": "A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0990", "url": "https://ubuntu.com/security/CVE-2026-0990", "cve_description": "A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" }, { "cve": "CVE-2026-0992", "url": "https://ubuntu.com/security/CVE-2026-0992", "cve_description": "A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.", "cve_priority": "medium", "cve_public_date": "2026-01-15 15:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Infinite recursion with SGML catalogs.", " - debian/patches/CVE-2025-8732.patch: Add catalog depth and checks in", " catalog.c. Add test files in result/catalogs/recursive and", " test/catalogs/recursive.sgml.", " - CVE-2025-8732", " * SECURITY UPDATE: Infinite recursion when resolving include directives in", " RelaxNG parser.", " - debian/patches/CVE-2026-0989.patch: Add xmlRelaxParserSetIncLImit in", " include/libxml/relaxng.h. Add include limit and checks in relaxng.c. Add", " test and test files in runtest.c,", " test/relaxng/include/include-limit.rng,", " test/relaxng/include/include-limit_1.rng,", " test/relaxng/include/include-limit_2.rng, and", " test/relaxng/include/include-limit_3.rng.", " - debian/libxml2.symbols: Add new xmlRelaxParserSetIncLImit symbol.", " - CVE-2026-0989", " * SECURITY UPDATE: Infinite recursion in URI dereferencing.", " - debian/patches/CVE-2026-0990.patch: Add MAX_CATAL_DEPTH and other checks", " in catalog.c.", " - CVE-2026-0990", " * SECURITY UPDATE: Uncontrolled resource consumption in catalogs.", " - debian/patches/CVE-2026-0992.patch: Add catalog duplication checks in", " catalog.c.", " - CVE-2026-0992", "" ], "package": "libxml2", "version": "2.9.14+dfsg-1.3ubuntu3.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 21 Jan 2026 12:24:26 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxslt1.1", "from_version": { "source_package_name": "libxslt", "source_package_version": "1.1.39-0exp1ubuntu0.24.04.2", "version": "1.1.39-0exp1ubuntu0.24.04.2" }, "to_version": { "source_package_name": "libxslt", "source_package_version": "1.1.39-0exp1ubuntu0.24.04.3", "version": "1.1.39-0exp1ubuntu0.24.04.3" }, "cves": [ { "cve": "CVE-2025-7424", "url": "https://ubuntu.com/security/CVE-2025-7424", "cve_description": "A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-10 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-7424", "url": "https://ubuntu.com/security/CVE-2025-7424", "cve_description": "A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior.", "cve_priority": "medium", "cve_public_date": "2025-07-10 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of service in psvi memory field.", " - debian/patches/CVE-2025-7424-*.patch: Change logic of tctxt->style->doc", " in libxslt/functions.c, add libxslt/transformInternals.h, add new build", " sections to include file in CMakeLists.txt and libxslt/Makefile.am.", " - CVE-2025-7424", "" ], "package": "libxslt", "version": "1.1.39-0exp1ubuntu0.24.04.3", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Tue, 06 Jan 2026 11:48:48 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [], "launchpad_bugs_fixed": [ 2128721 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-90.91", "" ], "package": "linux-meta", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:45:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-89.90", "", " * missing transitionals for intel-iotg kernels (LP: #2128721)", " - [Packaging] Transition intel-iotg to hwe-24.04", "" ], "package": "linux-meta", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2128721 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:07:55 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [], "launchpad_bugs_fixed": [ 2128721 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-90.91", "" ], "package": "linux-meta", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:45:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-89.90", "", " * missing transitionals for intel-iotg kernels (LP: #2128721)", " - [Packaging] Transition intel-iotg to hwe-24.04", "" ], "package": "linux-meta", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2128721 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:07:55 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [], "launchpad_bugs_fixed": [ 2128721 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-90.91", "" ], "package": "linux-meta", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:45:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-89.90", "", " * missing transitionals for intel-iotg kernels (LP: #2128721)", " - [Packaging] Transition intel-iotg to hwe-24.04", "" ], "package": "linux-meta", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2128721 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:07:55 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "linux-libc-dev", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138092 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-94.96 -proposed tracker (LP: #2138092)", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * CVE-2025-39698", " - io_uring/futex: ensure io_futex_wait() cleans up properly on failure", "" ], "package": "linux", "version": "6.8.0-94.96", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138092 ], "author": "Manuel Diewald ", "date": "Fri, 09 Jan 2026 17:07:51 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-common", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138092 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-94.96 -proposed tracker (LP: #2138092)", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * CVE-2025-39698", " - io_uring/futex: ensure io_futex_wait() cleans up properly on failure", "" ], "package": "linux", "version": "6.8.0-94.96", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138092 ], "author": "Manuel Diewald ", "date": "Fri, 09 Jan 2026 17:07:51 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [], "launchpad_bugs_fixed": [ 2128721 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-90.91", "" ], "package": "linux-meta", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:45:53 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-89.90", "", " * missing transitionals for intel-iotg kernels (LP: #2128721)", " - [Packaging] Transition intel-iotg to hwe-24.04", "" ], "package": "linux-meta", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2128721 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:07:55 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "multipath-tools", "from_version": { "source_package_name": "multipath-tools", "source_package_version": "0.9.4-5ubuntu8", "version": "0.9.4-5ubuntu8" }, "to_version": { "source_package_name": "multipath-tools", "source_package_version": "0.9.4-5ubuntu8.1", "version": "0.9.4-5ubuntu8.1" }, "cves": [], "launchpad_bugs_fixed": [ 2116901 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0005-hpe-msa-gen7-support.patch: add support for HPE MSA gen7 arrays", " (LP: #2116901)", "" ], "package": "multipath-tools", "version": "0.9.4-5ubuntu8.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2116901 ], "author": "Jonas Jelten ", "date": "Tue, 22 Jul 2025 17:44:15 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "numactl", "from_version": { "source_package_name": "numactl", "source_package_version": "2.0.18-1build1", "version": "2.0.18-1build1" }, "to_version": { "source_package_name": "numactl", "source_package_version": "2.0.18-1ubuntu0.24.04.1", "version": "2.0.18-1ubuntu0.24.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2136104 ], "changes": [ { "cves": [], "log": [ "", " * d/p/fix-stray-errno.patch: save and restore errno when probing for", " SET_PREFERRED_MANY (LP: #2136104)", "" ], "package": "numactl", "version": "2.0.18-1ubuntu0.24.04.1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2136104 ], "author": "Renan Rodrigo ", "date": "Fri, 09 Jan 2026 10:36:33 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.6", "version": "3.0.13-0ubuntu3.6" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.0.13-0ubuntu3.7", "version": "3.0.13-0ubuntu3.7" }, "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15467", "url": "https://ubuntu.com/security/CVE-2025-15467", "cve_description": "Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-68160", "url": "https://ubuntu.com/security/CVE-2025-68160", "cve_description": "Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69418", "url": "https://ubuntu.com/security/CVE-2025-69418", "cve_description": "Issue summary: When using the low-level OCB API directly with AES-NI or
other hardware-accelerated code paths, inputs whose length is not a multiple
of 16 bytes can leave the final partial block unencrypted and unauthenticated.

Impact summary: The trailing 1-15 bytes of a message may be exposed in
cleartext on encryption and are not covered by the authentication tag,
allowing an attacker to read or tamper with those bytes without detection.

The low-level OCB encrypt and decrypt routines in the hardware-accelerated
stream path process full 16-byte blocks but do not advance the input/output
pointers. The subsequent tail-handling code then operates on the original
base pointers, effectively reprocessing the beginning of the buffer while
leaving the actual trailing bytes unprocessed. The authentication checksum
also excludes the true tail bytes.

However, typical OpenSSL consumers using EVP are not affected because the
higher-level EVP and provider OCB implementations split inputs so that full
blocks and trailing partial blocks are processed in separate calls, avoiding
the problematic code path. Additionally, TLS does not use OCB ciphersuites.
The vulnerability only affects applications that call the low-level
CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with
non-block-aligned lengths in a single call on hardware-accelerated builds.
For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected
by this issue, as OCB mode is not a FIPS-approved algorithm.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69419", "url": "https://ubuntu.com/security/CVE-2025-69419", "cve_description": "Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69420", "url": "https://ubuntu.com/security/CVE-2025-69420", "cve_description": "Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2025-69421", "url": "https://ubuntu.com/security/CVE-2025-69421", "cve_description": "Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-2279", "url": "https://ubuntu.com/security/CVE-2026-2279", "cve_description": "", "cve_priority": "n/a", "cve_public_date": "" }, { "cve": "CVE-2026-22795", "url": "https://ubuntu.com/security/CVE-2026-22795", "cve_description": "Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" }, { "cve": "CVE-2026-22796", "url": "https://ubuntu.com/security/CVE-2026-22796", "cve_description": "Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.", "cve_priority": "low", "cve_public_date": "2026-01-27 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Stack buffer overflow in CMS AuthEnvelopedData parsing", " - debian/patches/CVE-2025-15467-1.patch: correct handling of", " AEAD-encrypted CMS with inadmissibly long IV in crypto/evp/evp_lib.c.", " - debian/patches/CVE-2025-15467-2.patch: some comments to clarify", " functions usage in crypto/asn1/evp_asn1.c.", " - debian/patches/CVE-2025-15467-3.patch: test for handling of", " AEAD-encrypted CMS with inadmissibly long IV in test/cmsapitest.c,", " test/recipes/80-test_cmsapi.t,", " test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem.", " - CVE-2025-15467", " * SECURITY UPDATE: Heap out-of-bounds write in BIO_f_linebuffer on short", " writes", " - debian/patches/CVE-2025-68160.patch: fix heap buffer overflow in", " BIO_f_linebuffer in crypto/bio/bf_lbuf.c.", " - CVE-2025-68160", " * SECURITY UPDATE: Unauthenticated/unencrypted trailing bytes with", " low-level OCB function calls", " - debian/patches/CVE-2025-69418.patch: fix OCB AES-NI/HW stream path", " unauthenticated/unencrypted trailing bytes in crypto/modes/ocb128.c.", " - CVE-2025-69418", " * SECURITY UPDATE: Out of bounds write in PKCS12_get_friendlyname() UTF-8", " conversion", " - debian/patches/CVE-2025-69419.patch: check return code of UTF8_putc", " in crypto/asn1/a_strex.c, crypto/pkcs12/p12_utl.c.", " - CVE-2025-69419", " * SECURITY UPDATE: Missing ASN1_TYPE validation in", " TS_RESP_verify_response() function", " - debian/patches/CVE-2025-69420.patch: verify ASN1 object's types", " before attempting to access them as a particular type in", " crypto/ts/ts_rsp_verify.c.", " - CVE-2025-69420", " * SECURITY UPDATE: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex", " - debian/patches/CVE-2025-69421.patch: add NULL check in", " crypto/pkcs12/p12_decr.c.", " - CVE-2025-69421", " * SECURITY UPDATE: ASN1_TYPE missing validation and type confusion", " - debian/patches/CVE-2026-2279x.patch: ensure ASN1 types are checked", " before use in apps/s_client.c, crypto/pkcs12/p12_kiss.c,", " crypto/pkcs7/pk7_doit.c.", " - CVE-2026-22795", " - CVE-2026-22796", "" ], "package": "openssl", "version": "3.0.13-0ubuntu3.7", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 26 Jan 2026 07:31:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.27", "version": "1:24.04.27" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.28", "version": "1:24.04.28" }, "cves": [], "launchpad_bugs_fixed": [ 2138637 ], "changes": [ { "cves": [], "log": [ "", " * Run pre-build.sh: updating mirrors for point release (LP: #2138637)", "" ], "package": "ubuntu-release-upgrader", "version": "1:24.04.28", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138637 ], "author": "Florent 'Skia' Jacquet ", "date": "Mon, 19 Jan 2026 16:31:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-pyasn1", "from_version": { "source_package_name": "pyasn1", "source_package_version": "0.4.8-4", "version": "0.4.8-4" }, "to_version": { "source_package_name": "pyasn1", "source_package_version": "0.4.8-4ubuntu0.1", "version": "0.4.8-4ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-23490", "url": "https://ubuntu.com/security/CVE-2026-23490", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.", "cve_priority": "medium", "cve_public_date": "2026-01-16 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-23490", "url": "https://ubuntu.com/security/CVE-2026-23490", "cve_description": "pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.", "cve_priority": "medium", "cve_public_date": "2026-01-16 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: memory exhaustion from malformed RELATIVE-OID", " - debian/patches/CVE-2026-23490.patch: add limit of 20 continuation", " octets per OID arc in pyasn1/codec/ber/decoder.py,", " tests/codec/ber/test_decoder.py.", " - CVE-2026-23490", "" ], "package": "pyasn1", "version": "0.4.8-4ubuntu0.1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 20 Jan 2026 10:40:22 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.3", "version": "2.0.7-1ubuntu0.3" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.0.7-1ubuntu0.6", "version": "2.0.7-1ubuntu0.6" }, "cves": [ { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" }, { "cve": "CVE-2026-21441", "url": "https://ubuntu.com/security/CVE-2026-21441", "cve_description": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2136906, 2136906 ], "changes": [ { "cves": [ { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Zstandard missing attribute after CVE-2025-66471 fix.", " (LP: #2136906)", " - debian/patches/CVE-2025-66471-fix2.patch: Fall back if \"needs_input\" is", " not a zstd object attribute in src/urllib3/response.py.", "" ], "package": "python-urllib3", "version": "2.0.7-1ubuntu0.6", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2136906 ], "author": "Hlib Korzhynskyy ", "date": "Tue, 13 Jan 2026 09:34:51 -0330" }, { "cves": [ { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Zstd issues after CVE-2025-66471 fix. (LP: #2136906)", " - debian/patches/CVE-2025-66471-fix1.patch: Revert zstd fix due to not", " being compatible with zstandard.", "" ], "package": "python-urllib3", "version": "2.0.7-1ubuntu0.5", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [ 2136906 ], "author": "Hlib Korzhynskyy ", "date": "Mon, 12 Jan 2026 17:27:22 -0330" }, { "cves": [ { "cve": "CVE-2026-21441", "url": "https://ubuntu.com/security/CVE-2026-21441", "cve_description": "urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.", "cve_priority": "medium", "cve_public_date": "2026-01-07 22:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Decompression bomb in HTTP redirect responses.", " - debian/patches/CVE-2026-21441.patch: Add decode_content to self.read()", " in src/urllib3/response.py. Add tests in", " test/with_dummyserver/test_connectionpool.py and dummyserver/app.py.", " - CVE-2026-21441", "" ], "package": "python-urllib3", "version": "2.0.7-1ubuntu0.4", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Thu, 08 Jan 2026 15:36:38 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.10", "version": "3.12.3-1ubuntu0.10" }, "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTTP Content-Length denial of service", " - debian/patches/CVE-2025-13836.patch: Read large data in chunks with", " geometric reads in Lib/http/client.py and add tests in ", " Lib/test/test_httplib.py", " - CVE-2025-13836", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.10", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 08 Jan 2026 17:00:50 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.12-minimal", "from_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.9", "version": "3.12.3-1ubuntu0.9" }, "to_version": { "source_package_name": "python3.12", "source_package_version": "3.12.3-1ubuntu0.10", "version": "3.12.3-1ubuntu0.10" }, "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-13836", "url": "https://ubuntu.com/security/CVE-2025-13836", "cve_description": "When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.", "cve_priority": "medium", "cve_public_date": "2025-12-01 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: HTTP Content-Length denial of service", " - debian/patches/CVE-2025-13836.patch: Read large data in chunks with", " geometric reads in Lib/http/client.py and add tests in ", " Lib/test/test_httplib.py", " - CVE-2025-13836", "" ], "package": "python3.12", "version": "3.12.3-1ubuntu0.10", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Thu, 08 Jan 2026 17:00:50 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "screen", "from_version": { "source_package_name": "screen", "source_package_version": "4.9.1-1build1", "version": "4.9.1-1build1" }, "to_version": { "source_package_name": "screen", "source_package_version": "4.9.1-1ubuntu1", "version": "4.9.1-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-46802", "url": "https://ubuntu.com/security/CVE-2025-46802", "cve_description": "For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.", "cve_priority": "medium", "cve_public_date": "2025-05-26 16:15:00 UTC" }, { "cve": "CVE-2025-46804", "url": "https://ubuntu.com/security/CVE-2025-46804", "cve_description": "A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" }, { "cve": "CVE-2025-46805", "url": "https://ubuntu.com/security/CVE-2025-46805", "cve_description": "Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-46802", "url": "https://ubuntu.com/security/CVE-2025-46802", "cve_description": "For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.", "cve_priority": "medium", "cve_public_date": "2025-05-26 16:15:00 UTC" }, { "cve": "CVE-2025-46804", "url": "https://ubuntu.com/security/CVE-2025-46804", "cve_description": "A minor information leak when running Screen with setuid-root privileges allows unprivileged users to deduce information about a path that would otherwise not be available. Affected are older Screen versions, as well as version 5.0.0.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" }, { "cve": "CVE-2025-46805", "url": "https://ubuntu.com/security/CVE-2025-46805", "cve_description": "Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root.", "cve_priority": "low", "cve_public_date": "2025-05-26 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect PTY permissions", " - debian/patches/CVE-2025-46802.patch: prevent temporary 0666 mode on", " PTYs in attacher.c, screen.c.", " - CVE-2025-46802", " * SECURITY UPDATE: minor information leak", " - debian/patches/CVE-2025-46804.patch: avoid file existence test", " information leaks in screen.c, socket.c.", " - CVE-2025-46804", " * SECURITY UPDATE: TOCTOU allowing to send SIGHUP, SIGCONT", " - debian/patches/CVE-2025-46805.patch: don't send signals with root", " privileges in socket.c.", " - CVE-2025-46805", "" ], "package": "screen", "version": "4.9.1-1ubuntu1", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 22 Jan 2026 14:59:29 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.72+ubuntu24.04", "version": "2.72+ubuntu24.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.73+ubuntu24.04", "version": "2.73+ubuntu24.04" }, "cves": [], "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766, 2118396, 2114923, 2112551, 2114779, 2112544, 2112332, 1952500, 1849346, 2098780, 2033883 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2132084", " - FDE: do not save incomplete FDE state when resealing was skipped", " - FDE: warn of inconsistent primary or policy counter", " - Confdb: document confdb in snapctl help messages", " - Confdb: only confdb hooks wait if snaps are disabled", " - Confdb: relax confdb change conflict checks", " - Confdb: remove empty parent when removing last leaf", " - Confdb: support parsing field filters", " - Confdb: wrap confdb write values under \"values\" key", " - dm-verity for essential snaps: add new naming convention for", " verity files", " - dm-verity for essential snaps: add snap integrity discovery", " - dm-verity for essential snaps: fix verity salt calculation", " - Assertions: add hardware identity assertion", " - Assertions: add integrity stanza in snap resources revisions", " - Assertions: add request message assertion required for remote", " device management", " - Assertions: add response-message assertion for secure remote", " device management", " - Assertions: expose WithStackedBackstore in RODatabase", " - Packaging: cross-distro | install upstream NEWS file into relevant", " snapd package doc directory", " - Packaging: cross-distro | tweak how the blocks injecting", " $SNAP_MOUNT_DIR/bin are generated as required for openSUSE", " - Packaging: remove deprecated snap-gdb-shim and all references now", " that snap run --gdb is unsupported and replaced by --gdbserver", " - Preseed: call systemd-tmpfiles instead handle-writable-paths on", " uc26", " - Preseed: do not remove the /snap dir but rather all its contents", " during reset", " - snap-confine: attach name derived from security tag to BPF maps", " and programs", " - snap-confine: ensure permitted capabilities match expectation", " - snap-confine: fix cached snap-confine profile cleanup to report", " the correct error instead of masking backend setup failures", " - snap-confine: Improve validation of user controlled paths", " - snap-confine: tighten snap cgroup checks to ensure a snap cannot", " start another snap in the same cgroup, preventing incorrect", " device-filter installation", " - core-initrd: add 26.04 ubuntu-core-initramfs package", " - core-initrd: add missing order dependency for setting default", " system files", " - core-initrd: avoid scanning loop and mmc boot partitions as the", " boot disk won't be any of these", " - core-initrd: make cpio a Depends and remove from Build-Depends", " - core-initrd: start plymouth sooner and reload when gadget is", " available", " - Cross-distro: modify syscheck to account for differences in", " openSUSE 16.0+", " - Validation sets: use in-flight validation sets when calling", " 'snapctl install' from hook", " - Prompting: enable prompting for the camera interface", " - Prompting: remove polkit authentication when modifying/deleting", " prompting rules", " - LP: #2127189 Prompting: do not record notices for unchanged rules", " on snapd startup", " - AppArmor: add free and pidof to the template", " - AppArmor: adjust interfaces/profiles to cope with coreutils paths", " - Interfaces: add support for compatibility expressions", " - Interfaces: checkbox-support | complete overhaul", " - Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-", " driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-", " driver-libs", " - Interfaces: allow snaps on classic access to nvidia graphics", " libraries exported by *-driver-libs interfaces", " - Interfaces: fwupd | broaden access to /boot/efi/EFI", " - Interfaces: gsettings | set dconf-service as profile for", " ca.desrt.dconf.Writer", " - Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new", " interfaces", " - Interfaces: opengl | grant read/write permission to /run/nvidia-", " persistenced/socket", " - interfaces: ros-snapd-support | add access to /v2/changes/", " - Interfaces: system-observe | read access to btrfs/ext4/zfs", " filesystem information", " - Interfaces: system-trace | allow /sys/kernel/tracing/** rw", " - Interfaces: usb-gadget | add support for ffs mounts in attributes", " - Add autocompletion to run command", " - Introduce option for disallowing auto-connection of a specific", " interface", " - Only log errors for user service operations performed as a part of", " snap removal", " - Patch snap names in service requests for parallel installed snaps", " - Simplify traits for eMMC special partitions", " - Strip apparmor_parser from debug symbols shrinking snapd size by", " ~3MB", " - Fix InstallPathMany skipping refresh control", " - Fix waiting for GDB helper to stop before attaching gdbserver", " - Protect the per-snap tmp directory against being reaped by age", " - Prevent disabling base snaps to ensure dependent snaps can be", " removed", " - Modify API endpoint /v2/logs to reject n <= 0 (except for special", " case -1 meaning all)", " - Avoid potential deadlock when task is injected after the change", " was aborted", " - Avoid race between store download stream and cache cleanup", " executing in parallel when invoked by snap download task", " - LP: #1851490 Use \"current\" instead of revision number for icons", " - LP: #2121853 Add snapctl version command", " - LP: #2127214 Ensure no more than one partition on disk can match a", " gadget partition", " - LP: #2127244 snap-confine: update AppArmor profile to allow", " read/write to journal as workaround for snap-confine fd", " inheritance prevented by newer AppArmor", " - LP: #2127766 Add new tracing mechanism with independently running", " strace and shim synchronization", "" ], "package": "snapd", "version": "2.73+ubuntu24.04", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "author": "Ernest Lotter ", "date": "Fri, 21 Nov 2025 09:08:02 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2118396", " - FDE: auto-repair when recovery key is used", " - FDE: revoke keys on shim update", " - FDE: revoke old TPM keys when dbx has been updated", " - FDE: do not reseal FDE hook keys every time", " - FDE: store keys in the kernel keyring when installing from initrd", " - FDE: allow disabled DMA on Core", " - FDE: snap-bootstrap: do not check for partition in scan-disk on", " CVM", " - FDE: support secboot preinstall check for 25.10+ hybrid installs", " via the /v2/system/{label} endpoint", " - FDE: support generating recovery key at install time via the", " /v2/systems/{label} endpoint", " - FDE: update passphrase quality check at install time via the", " /v2/systems/{label} endpoint", " - FDE: support replacing recovery key at runtime via the new", " /v2/system-volumes endpoint", " - FDE: support checking recovery keys at runtime via the /v2/system-", " volumes endpoint", " - FDE: support enumerating keyslots at runtime via the /v2/system-", " volumes endpoint", " - FDE: support changing passphrase at runtime via the /v2/system-", " volumes endpoint", " - FDE: support passphrase quality check at runtime via the", " /v2/system-volumes endpoint", " - FDE: update secboot to revision 3e181c8edf0f", " - Confdb: support lists and indexed paths on read and write", " - Confdb: alias references must be wrapped in brackets", " - Confdb: support indexed paths in confdb-schema assertion", " - Confdb: make API errors consistent with options", " - Confdb: fetch confdb-schema assertion on access", " - Confdb: prevent --previous from being used in read-side hooks", " - Components: fix snap command with multiple components", " - Components: set revision of seed components to x1", " - Components: unmount extra kernel-modules components mounts", " - AppArmor Prompting: add lifespan \"session\" for prompting rules", " - AppArmor Prompting: support restoring prompts after snapd restart", " - AppArmor Prompting: limit the extra information included in probed", " AppArmor features and system key", " - Notices: refactor notice state internals", " - SELinux: look for restorecon/matchpathcon at all known locations", " rather than current PATH", " - SELinux: update policy to allow watching cgroups (for RAA), and", " talking to user session agents (service mgmt/refresh)", " - Refresh App Awareness: Fix unexpected inotify file descriptor", " cleanup", " - snap-confine: workaround for glibc fchmodat() fallback and handle", " ENOSYS", " - snap-confine: add support for host policy for limiting users able", " to run snaps", " - LP: #2114923 Reject system key mismatch advise when not yet seeded", " - Use separate lanes for essential and non-essential snaps during", " seeding and allow non-essential installs to retry", " - Fix bug preventing remodel from core18 to core18 when snapd snap", " is unchanged", " - LP: #2112551 Make removal of last active revision of a snap equal", " to snap remove", " - LP: #2114779 Allow non-gpt in fallback mode to support RPi", " - Switch from using systemd LogNamespace to manually controlled", " journal quotas", " - Change snap command trace logging to only log the command names", " - Grant desktop-launch access to /v2/snaps", " - Update code for creating the snap journal stream", " - Switch from using core to snapd snap for snap debug connectivity", " - LP: #2112544 Fix offline remodel case where we switched to a", " channel without an actual refresh", " - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed", " tarball", " - LP: #1952500 Fix snap command progress reporting", " - LP: #1849346 Interfaces: kerberos-tickets | add new interface", " - Interfaces: u2f | add support for Thetis Pro", " - Interfaces: u2f | add OneSpan device and fix older device", " - Interfaces: pipewire, audio-playback | support pipewire as system", " daemon", " - Interfaces: gpg-keys | allow access to GPG agent sockets", " - Interfaces: usb-gadget | add new interface", " - Interfaces: snap-fde-control, firmware-updater-support | add new", " interfaces to support FDE", " - Interfaces: timezone-control | extend to support timedatectl", " varlink", " - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and", " procfs directories", " - Interfaces: microstack-support | allow SR-IOV attachments", " - Interfaces: modify AppArmor template to allow snaps to read their", " own systemd credentials", " - Interfaces: posix-mq | allow stat on /dev/mqueue", " - LP: #2098780 Interfaces: log-observe | add capability", " dac_read_search", " - Interfaces: block-devices | allow access to ZFS pools and datasets", " - LP: #2033883 Interfaces: block-devices | opt-in access to", " individual partitions", " - Interfaces: accel | add new interface to support accel kernel", " subsystem", " - Interfaces: shutdown | allow client to bind on its side of dbus", " socket", " - Interfaces: modify seccomp template to allow pwritev2", " - Interfaces: modify AppArmor template to allow reading", " /proc/sys/fs/nr_open", " - Packaging: drop snap.failure service for openSUSE", " - Packaging: add SELinux support for openSUSE", " - Packaging: disable optee when using nooptee build tag", " - Packaging: add support for static PIE builds in snapd.mk, drop", " pie.patch from openSUSE", " - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04", " - Packaging: use snapd.mk for packaging on Fedora", " - Packaging: exclude .git directory", " - Packaging: fix DPKG_PARSECHANGELOG assignment", " - Packaging: fix building on Fedora with dpkg installed", "" ], "package": "snapd", "version": "2.71", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2118396, 2114923, 2112551, 2114779, 2112544, 2112332, 1952500, 1849346, 2098780, 2033883 ], "author": "Ernest Lotter ", "date": "Fri, 25 Jul 2025 13:18:47 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-dev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-timesyncd", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.27", "version": "1:24.04.27" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:24.04.28", "version": "1:24.04.28" }, "cves": [], "launchpad_bugs_fixed": [ 2138637 ], "changes": [ { "cves": [], "log": [ "", " * Run pre-build.sh: updating mirrors for point release (LP: #2138637)", "" ], "package": "ubuntu-release-upgrader", "version": "1:24.04.28", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138637 ], "author": "Florent 'Skia' Jacquet ", "date": "Mon, 19 Jan 2026 16:31:44 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.11", "version": "255.4-1ubuntu8.11" }, "to_version": { "source_package_name": "systemd", "source_package_version": "255.4-1ubuntu8.12", "version": "255.4-1ubuntu8.12" }, "cves": [], "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "changes": [ { "cves": [], "log": [ "", " * basic: validate timezones in get_timezones() (LP: #2125405)", " * ukify: fix insertion of padding in merged sections (LP: #2132666)", " * core: downgrade a log message from warning to debug (LP: #2130554)", " * test: skip testcase_multipath_basic_failover.", " This test has been failing on Ubuntu infrastructure for a long time.", " Leaving this alone at the moment allows other failures to potentially go", " unnoticed, because the migration reference baseline has been reset to", " fail. Skip the test to try and reset the baseline to pass.", " * d/gbp.conf: stop using wrap_cl.py", "" ], "package": "systemd", "version": "255.4-1ubuntu8.12", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2125405, 2132666, 2130554 ], "author": "Nick Rosbrook ", "date": "Tue, 25 Nov 2025 13:16:31 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "uuid-runtime", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.3", "version": "2.39.3-9ubuntu6.3" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.39.3-9ubuntu6.4", "version": "2.39.3-9ubuntu6.4" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.39.3-9ubuntu6.4", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2123886 ], "author": "Joao Andre Simioni ", "date": "Mon, 15 Sep 2025 21:08:02 -0300" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-6.8.0-94", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138092 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-94.96 -proposed tracker (LP: #2138092)", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * CVE-2025-39698", " - io_uring/futex: ensure io_futex_wait() cleans up properly on failure", "" ], "package": "linux", "version": "6.8.0-94.96", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138092 ], "author": "Manuel Diewald ", "date": "Fri, 09 Jan 2026 17:07:51 +0100" } ], "notes": "linux-headers-6.8.0-94 version '6.8.0-94.96' (source package linux version '6.8.0-94.96') was added. linux-headers-6.8.0-94 version '6.8.0-94.96' has the same source package name, linux, as removed package linux-headers-6.8.0-90. As such we can use the source package version of the removed package, '6.8.0-90.91', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-headers-6.8.0-94-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138092 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-94.96 -proposed tracker (LP: #2138092)", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * CVE-2025-39698", " - io_uring/futex: ensure io_futex_wait() cleans up properly on failure", "" ], "package": "linux", "version": "6.8.0-94.96", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138092 ], "author": "Manuel Diewald ", "date": "Fri, 09 Jan 2026 17:07:51 +0100" } ], "notes": "linux-headers-6.8.0-94-generic version '6.8.0-94.96' (source package linux version '6.8.0-94.96') was added. linux-headers-6.8.0-94-generic version '6.8.0-94.96' has the same source package name, linux, as removed package linux-headers-6.8.0-90. As such we can use the source package version of the removed package, '6.8.0-90.91', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-6.8.0-94-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-90.91", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.8.0-90.91", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-90.91", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Tue, 18 Nov 2025 12:46:03 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.8.0-89.90", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.8.0-89.90", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:08:07 +0100" } ], "notes": "linux-image-6.8.0-94-generic version '6.8.0-94.96' (source package linux-signed version '6.8.0-94.96') was added. linux-image-6.8.0-94-generic version '6.8.0-94.96' has the same source package name, linux-signed, as removed package linux-image-6.8.0-90-generic. As such we can use the source package version of the removed package, '6.8.0-90.91', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-94-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138092 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-94.96 -proposed tracker (LP: #2138092)", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * CVE-2025-39698", " - io_uring/futex: ensure io_futex_wait() cleans up properly on failure", "" ], "package": "linux", "version": "6.8.0-94.96", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138092 ], "author": "Manuel Diewald ", "date": "Fri, 09 Jan 2026 17:07:51 +0100" } ], "notes": "linux-modules-6.8.0-94-generic version '6.8.0-94.96' (source package linux version '6.8.0-94.96') was added. linux-modules-6.8.0-94-generic version '6.8.0-94.96' has the same source package name, linux, as removed package linux-headers-6.8.0-90. As such we can use the source package version of the removed package, '6.8.0-90.91', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-6.8.0-94", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138092 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-94.96 -proposed tracker (LP: #2138092)", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * CVE-2025-39698", " - io_uring/futex: ensure io_futex_wait() cleans up properly on failure", "" ], "package": "linux", "version": "6.8.0-94.96", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138092 ], "author": "Manuel Diewald ", "date": "Fri, 09 Jan 2026 17:07:51 +0100" } ], "notes": "linux-tools-6.8.0-94 version '6.8.0-94.96' (source package linux version '6.8.0-94.96') was added. linux-tools-6.8.0-94 version '6.8.0-94.96' has the same source package name, linux, as removed package linux-headers-6.8.0-90. As such we can use the source package version of the removed package, '6.8.0-90.91', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-6.8.0-94-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.8.0-94.96", "version": "6.8.0-94.96" }, "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2138092 ], "changes": [ { "cves": [ { "cve": "CVE-2025-40019", "url": "https://ubuntu.com/security/CVE-2025-40019", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: essiv - Check ssize for decryption and in-place encryption Move the ssize check to the start in essiv_aead_crypt so that it's also checked for decryption and in-place encryption.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-38561", "url": "https://ubuntu.com/security/CVE-2025-38561", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase.", "cve_priority": "high", "cve_public_date": "2025-08-19 17:15:00 UTC" }, { "cve": "CVE-2025-39698", "url": "https://ubuntu.com/security/CVE-2025-39698", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: io_uring/futex: ensure io_futex_wait() cleans up properly on failure The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this.", "cve_priority": "high", "cve_public_date": "2025-09-05 18:15:00 UTC" } ], "log": [ "", " * noble/linux: 6.8.0-94.96 -proposed tracker (LP: #2138092)", "", " * CVE-2025-40019", " - crypto: essiv - Check ssize for decryption and in-place encryption", "", " * CVE-2025-38561", " - ksmbd: fix Preauh_HashValue race condition", "", " * CVE-2025-39698", " - io_uring/futex: ensure io_futex_wait() cleans up properly on failure", "" ], "package": "linux", "version": "6.8.0-94.96", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [ 2138092 ], "author": "Manuel Diewald ", "date": "Fri, 09 Jan 2026 17:07:51 +0100" } ], "notes": "linux-tools-6.8.0-94-generic version '6.8.0-94.96' (source package linux version '6.8.0-94.96') was added. linux-tools-6.8.0-94-generic version '6.8.0-94.96' has the same source package name, linux, as removed package linux-headers-6.8.0-90. As such we can use the source package version of the removed package, '6.8.0-90.91', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-6.8.0-90", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-6.8.0-90-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-6.8.0-90-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.8.0-90-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-6.8.0-90", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-6.8.0-90-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.8.0-90.91", "version": "6.8.0-90.91" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20251213 to 20260131", "from_series": "noble", "to_series": "noble", "from_serial": "20251213", "to_serial": "20260131", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }