{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "gcc-16-base:s390x", "sudo-common" ], "removed": [], "diff": [ "apparmor", "bind9-dnsutils", "bind9-host", "bind9-libs:s390x", "bsdextrautils", "bsdutils", "chrony", "cloud-initramfs-copymods", "cloud-initramfs-dyn-netconf", "dirmngr", "dracut-install", "eject", "fdisk", "ftp", "gir1.2-girepository-3.0:s390x", "gir1.2-glib-2.0:s390x", "gnupg", "gnupg-l10n", "gnupg-utils", "gpg", "gpg-agent", "gpg-wks-client", "gpgconf", "gpgsm", "gpgv", "iproute2", "iptables", "kmod", "libapparmor1:s390x", "libatomic1:s390x", "libblkid1:s390x", "libbrotli1:s390x", "libc-bin", "libc-gconv-modules-extra:s390x", "libc6:s390x", "libfdisk1:s390x", "libfido2-1:s390x", "libfyaml0:s390x", "libgcc-s1:s390x", "libgirepository-2.0-0:s390x", "libglib2.0-0t64:s390x", "libglib2.0-bin", "libglib2.0-data", "libgmp10:s390x", "libintl-perl", "libintl-xs-perl", "libip4tc2:s390x", "libip6tc2:s390x", "libjson-c5:s390x", "libkmod2:s390x", "liblastlog2-2:s390x", "libmount1:s390x", "libnghttp2-14:s390x", "libnl-3-200:s390x", "libnl-genl-3-200:s390x", "libnl-route-3-200:s390x", "libnuma1:s390x", "libopeniscsiusr", "libpam-modules:s390x", "libpam-modules-bin", "libpam-runtime", "libpam0g:s390x", "libpcre2-8-0:s390x", "libpng16-16t64:s390x", "libpolkit-agent-1-0:s390x", "libpolkit-gobject-1-0:s390x", "libpython3.13-minimal:s390x", "libpython3.13-stdlib:s390x", "libsmartcols1:s390x", "libstdc++6:s390x", "libuuid1:s390x", "libx11-6:s390x", "libx11-data", "libxtables12:s390x", "libyaml-0-2:s390x", "linux-base", "linux-sysctl-defaults", "locales", "login", "login.defs", "manpages", "mdadm", "mount", "nano", "numactl", "open-iscsi", "overlayroot", "passwd", "pci.ids", "polkitd", "psmisc", "python3-distupgrade", "python3-json-pointer", "python3-jsonpatch", "python3-update-manager", "python3.13", "python3.13-gdbm", "python3.13-minimal", "rsyslog", "rust-coreutils", "screen", "sudo", "sudo-rs", "tnftp", "ubuntu-kernel-accessories", "ubuntu-minimal", "ubuntu-release-upgrader-core", "ubuntu-server", "ubuntu-standard", "update-manager-core", "update-notifier-common", "util-linux", "util-linux-extra", "uuid-runtime", "wget", "zlib1g:s390x" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~alpha1-0ubuntu9", "version": "5.0.0~alpha1-0ubuntu9" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~alpha1-0ubuntu11", "version": "5.0.0~alpha1-0ubuntu11" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Add patch to fix utils flake8 FTBFS:", " - d/p/u/utils-remove-global-_-from-aa-notify-main.patch", " * Add patches to fix python3-libapparmor FTBFS:", " - d/p/u/0001-libapparmor-change-setup.py-to-remove-the-need-for-_.patch", " - d/p/u/0002-libapparmor-remove-__init__.py-not-needed-for-SWIG-P.patch", " * Add patch to fix utils testing with non-default Python:", " - d/p/u/utils-test-use-sys.executable-when-launching-aa-show.patch", " * debian/python3-libapparmor.install: include new location of Python", " _LibAppArmor*.so libraries", " * debian/rules:", " - revert hardcoding of python3.13 as workaround of", " python3.14-tk breakage", " - remove __pycache__ directory generated by python3-libapparmor build", "" ], "package": "apparmor", "version": "5.0.0~alpha1-0ubuntu11", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ryan Lee ", "date": "Mon, 26 Jan 2026 11:08:37 -0800" }, { "cves": [], "log": [ "", " * Another no-change rebuild with Python 3.14 for amd64v3", "" ], "package": "apparmor", "version": "5.0.0~alpha1-0ubuntu10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Sun, 18 Jan 2026 18:35:09 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-dnsutils", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu3", "version": "1:9.20.11-1ubuntu3" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.18-1ubuntu1", "version": "1:9.20.18-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-13878", "url": "https://ubuntu.com/security/CVE-2025-13878", "cve_description": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.", "cve_priority": "medium", "cve_public_date": "2026-01-21 15:16:00 UTC" }, { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2125995, 2119320 ], "changes": [ { "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2125995). Remaining changes:", " - Don't build dnstap as it depends on universe packages:", " + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and", " protobuf-c-compiler", " + d/dnsutils.install: don't install dnstap", " + d/rules: don't build dnstap nor install dnstap.proto", " - Add back apport:", " + d/bind9.apport: add back old bind9 apport hook, but without calling", " attach_conffiles() since that is already done by apport itself, with", " confirmation from the user.", " + d/control, d/rules: build-depends on dh-apport and use it", " - d/NEWS: mention relevant packaging changes", " * Drop Changes:", " - d/p/CVE-2025-8677.patch", " - d/p/CVE-2025-40778.patch", " - d/p/CVE-2025-40780.patch", " [Fixed in 9.20.15]", " * Added:", " - d/e/apparmor.d/usr.sbin.named: Allow read access to", " /proc/version_signature for named (LP: #2119320).", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125995, 2119320 ], "author": "Lena Voytek ", "date": "Fri, 06 Feb 2026 16:05:33 -0500" }, { "cves": [ { "cve": "CVE-2025-13878", "url": "https://ubuntu.com/security/CVE-2025-13878", "cve_description": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.", "cve_priority": "medium", "cve_public_date": "2026-01-21 15:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.18", " + [CVE-2025-13878]: Fix incorrect length checks for BRID and HHIT", " records.", "" ], "package": "bind9", "version": "1:9.20.18-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 21 Jan 2026 16:47:34 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.17", "" ], "package": "bind9", "version": "1:9.20.17-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 17 Dec 2025 16:32:20 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.16", "" ], "package": "bind9", "version": "1:9.20.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 19 Nov 2025 18:06:11 +0100" }, { "cves": [], "log": [ "", " * Remove libdb-dev build depends (Closes: #1119196)", "" ], "package": "bind9", "version": "1:9.20.15-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Tue, 28 Oct 2025 07:28:58 +0100" }, { "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "log": [ "", " * New upstream version 9.20.15", " - [CVE-2025-8677]: DNSSEC validation fails if matching but invalid", " DNSKEY is found", " - [CVE-2025-40778]: Address various spoofing attacks.", " - [CVE-2025-40780]: Cache-poisoning due to weak pseudo-random number", " generator", "" ], "package": "bind9", "version": "1:9.20.15-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 22 Oct 2025 16:40:20 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.13", "" ], "package": "bind9", "version": "1:9.20.13-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 10 Sep 2025 20:31:08 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.12", "" ], "package": "bind9", "version": "1:9.20.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 20 Aug 2025 17:22:43 +0200" }, { "cves": [], "log": [ "", " * Remove named.conf.default-zones.dpkg-dist from /etc/bind", "" ], "package": "bind9", "version": "1:9.20.11-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 12:04:56 +0200" }, { "cves": [], "log": [ "", " * Remove the /etc/bind/named.conf.default-zones again from the", " maintainer script as it might have been reinstalled by", " accident. (Closes: #1108945)", "" ], "package": "bind9", "version": "1:9.20.11-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 07:54:24 +0200" }, { "cves": [], "log": [ "", " * Remove /etc/bind/named.conf.default-zones from the package as", " the intent was to remove this file. (Closes: #1108945)", " * Add new /etc/bind/named.conf.root-hints file that makes 'named'", " to use root.hints from dns-root-data again.", "" ], "package": "bind9", "version": "1:9.20.11-2", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 06:48:59 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-host", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu3", "version": "1:9.20.11-1ubuntu3" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.18-1ubuntu1", "version": "1:9.20.18-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-13878", "url": "https://ubuntu.com/security/CVE-2025-13878", "cve_description": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.", "cve_priority": "medium", "cve_public_date": "2026-01-21 15:16:00 UTC" }, { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2125995, 2119320 ], "changes": [ { "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2125995). Remaining changes:", " - Don't build dnstap as it depends on universe packages:", " + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and", " protobuf-c-compiler", " + d/dnsutils.install: don't install dnstap", " + d/rules: don't build dnstap nor install dnstap.proto", " - Add back apport:", " + d/bind9.apport: add back old bind9 apport hook, but without calling", " attach_conffiles() since that is already done by apport itself, with", " confirmation from the user.", " + d/control, d/rules: build-depends on dh-apport and use it", " - d/NEWS: mention relevant packaging changes", " * Drop Changes:", " - d/p/CVE-2025-8677.patch", " - d/p/CVE-2025-40778.patch", " - d/p/CVE-2025-40780.patch", " [Fixed in 9.20.15]", " * Added:", " - d/e/apparmor.d/usr.sbin.named: Allow read access to", " /proc/version_signature for named (LP: #2119320).", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125995, 2119320 ], "author": "Lena Voytek ", "date": "Fri, 06 Feb 2026 16:05:33 -0500" }, { "cves": [ { "cve": "CVE-2025-13878", "url": "https://ubuntu.com/security/CVE-2025-13878", "cve_description": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.", "cve_priority": "medium", "cve_public_date": "2026-01-21 15:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.18", " + [CVE-2025-13878]: Fix incorrect length checks for BRID and HHIT", " records.", "" ], "package": "bind9", "version": "1:9.20.18-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 21 Jan 2026 16:47:34 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.17", "" ], "package": "bind9", "version": "1:9.20.17-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 17 Dec 2025 16:32:20 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.16", "" ], "package": "bind9", "version": "1:9.20.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 19 Nov 2025 18:06:11 +0100" }, { "cves": [], "log": [ "", " * Remove libdb-dev build depends (Closes: #1119196)", "" ], "package": "bind9", "version": "1:9.20.15-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Tue, 28 Oct 2025 07:28:58 +0100" }, { "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "log": [ "", " * New upstream version 9.20.15", " - [CVE-2025-8677]: DNSSEC validation fails if matching but invalid", " DNSKEY is found", " - [CVE-2025-40778]: Address various spoofing attacks.", " - [CVE-2025-40780]: Cache-poisoning due to weak pseudo-random number", " generator", "" ], "package": "bind9", "version": "1:9.20.15-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 22 Oct 2025 16:40:20 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.13", "" ], "package": "bind9", "version": "1:9.20.13-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 10 Sep 2025 20:31:08 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.12", "" ], "package": "bind9", "version": "1:9.20.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 20 Aug 2025 17:22:43 +0200" }, { "cves": [], "log": [ "", " * Remove named.conf.default-zones.dpkg-dist from /etc/bind", "" ], "package": "bind9", "version": "1:9.20.11-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 12:04:56 +0200" }, { "cves": [], "log": [ "", " * Remove the /etc/bind/named.conf.default-zones again from the", " maintainer script as it might have been reinstalled by", " accident. (Closes: #1108945)", "" ], "package": "bind9", "version": "1:9.20.11-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 07:54:24 +0200" }, { "cves": [], "log": [ "", " * Remove /etc/bind/named.conf.default-zones from the package as", " the intent was to remove this file. (Closes: #1108945)", " * Add new /etc/bind/named.conf.root-hints file that makes 'named'", " to use root.hints from dns-root-data again.", "" ], "package": "bind9", "version": "1:9.20.11-2", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 06:48:59 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "bind9-libs:s390x", "from_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.11-1ubuntu3", "version": "1:9.20.11-1ubuntu3" }, "to_version": { "source_package_name": "bind9", "source_package_version": "1:9.20.18-1ubuntu1", "version": "1:9.20.18-1ubuntu1" }, "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-13878", "url": "https://ubuntu.com/security/CVE-2025-13878", "cve_description": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.", "cve_priority": "medium", "cve_public_date": "2026-01-21 15:16:00 UTC" }, { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2125995, 2119320 ], "changes": [ { "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "log": [ "", " * Merge with Debian unstable (LP: #2125995). Remaining changes:", " - Don't build dnstap as it depends on universe packages:", " + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and", " protobuf-c-compiler", " + d/dnsutils.install: don't install dnstap", " + d/rules: don't build dnstap nor install dnstap.proto", " - Add back apport:", " + d/bind9.apport: add back old bind9 apport hook, but without calling", " attach_conffiles() since that is already done by apport itself, with", " confirmation from the user.", " + d/control, d/rules: build-depends on dh-apport and use it", " - d/NEWS: mention relevant packaging changes", " * Drop Changes:", " - d/p/CVE-2025-8677.patch", " - d/p/CVE-2025-40778.patch", " - d/p/CVE-2025-40780.patch", " [Fixed in 9.20.15]", " * Added:", " - d/e/apparmor.d/usr.sbin.named: Allow read access to", " /proc/version_signature for named (LP: #2119320).", "" ], "package": "bind9", "version": "1:9.20.18-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125995, 2119320 ], "author": "Lena Voytek ", "date": "Fri, 06 Feb 2026 16:05:33 -0500" }, { "cves": [ { "cve": "CVE-2025-13878", "url": "https://ubuntu.com/security/CVE-2025-13878", "cve_description": "Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.", "cve_priority": "medium", "cve_public_date": "2026-01-21 15:16:00 UTC" } ], "log": [ "", " * New upstream version 9.20.18", " + [CVE-2025-13878]: Fix incorrect length checks for BRID and HHIT", " records.", "" ], "package": "bind9", "version": "1:9.20.18-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 21 Jan 2026 16:47:34 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.17", "" ], "package": "bind9", "version": "1:9.20.17-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 17 Dec 2025 16:32:20 +0100" }, { "cves": [], "log": [ "", " * New upstream version 9.20.16", "" ], "package": "bind9", "version": "1:9.20.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 19 Nov 2025 18:06:11 +0100" }, { "cves": [], "log": [ "", " * Remove libdb-dev build depends (Closes: #1119196)", "" ], "package": "bind9", "version": "1:9.20.15-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Tue, 28 Oct 2025 07:28:58 +0100" }, { "cves": [ { "cve": "CVE-2025-8677", "url": "https://ubuntu.com/security/CVE-2025-8677", "cve_description": "Querying for records within a specially crafted zone containing certain malformed DNSKEY records can lead to CPU exhaustion. This issue affects BIND 9 versions 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40778", "url": "https://ubuntu.com/security/CVE-2025-40778", "cve_description": "Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject forged data into the cache. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" }, { "cve": "CVE-2025-40780", "url": "https://ubuntu.com/security/CVE-2025-40780", "cve_description": "In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, 9.20.0 through 9.20.13, 9.21.0 through 9.21.12, 9.16.8-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.39-S1, and 9.20.9-S1 through 9.20.13-S1.", "cve_priority": "medium", "cve_public_date": "2025-10-22 16:15:00 UTC" } ], "log": [ "", " * New upstream version 9.20.15", " - [CVE-2025-8677]: DNSSEC validation fails if matching but invalid", " DNSKEY is found", " - [CVE-2025-40778]: Address various spoofing attacks.", " - [CVE-2025-40780]: Cache-poisoning due to weak pseudo-random number", " generator", "" ], "package": "bind9", "version": "1:9.20.15-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 22 Oct 2025 16:40:20 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.13", "" ], "package": "bind9", "version": "1:9.20.13-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 10 Sep 2025 20:31:08 +0200" }, { "cves": [], "log": [ "", " * New upstream version 9.20.12", "" ], "package": "bind9", "version": "1:9.20.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Wed, 20 Aug 2025 17:22:43 +0200" }, { "cves": [], "log": [ "", " * Remove named.conf.default-zones.dpkg-dist from /etc/bind", "" ], "package": "bind9", "version": "1:9.20.11-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 12:04:56 +0200" }, { "cves": [], "log": [ "", " * Remove the /etc/bind/named.conf.default-zones again from the", " maintainer script as it might have been reinstalled by", " accident. (Closes: #1108945)", "" ], "package": "bind9", "version": "1:9.20.11-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 07:54:24 +0200" }, { "cves": [], "log": [ "", " * Remove /etc/bind/named.conf.default-zones from the package as", " the intent was to remove this file. (Closes: #1108945)", " * Add new /etc/bind/named.conf.root-hints file that makes 'named'", " to use root.hints from dns-root-data again.", "" ], "package": "bind9", "version": "1:9.20.11-2", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ondřej Surý ", "date": "Sun, 27 Jul 2025 06:48:59 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdextrautils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "1:2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "1:2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "chrony", "from_version": { "source_package_name": "chrony", "source_package_version": "4.7-1ubuntu3", "version": "4.7-1ubuntu3" }, "to_version": { "source_package_name": "chrony", "source_package_version": "4.8-2ubuntu1", "version": "4.8-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2126001, 2122337, 2122337 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2126001, LP: #2122337)). Remaining changes:", " - Set -x as default if unable to set time (e.g. in containers) (LP #1589780)", " Chrony is a single service which acts as both NTP client (i.e. syncing the", " local clock) and NTP server (i.e. providing NTP services to the network),", " and that is both desired and expected in the vast majority of cases.", " But in containers syncing the local clock is usually impossible, but this", " shall not break the providing of NTP services to the network.", " To some extent this makes chrony's default config more similar to 'ntpd',", " which complained in syslog but still provided NTP server service in those", " cases.", " + debian/chrony.service: allow the service to run without CAP_SYS_TIME", " + d/control: add new dependency libcap2-bin for capsh (usually", " installed anyway, but make them explicit to be sure).", " + d/chrony.default: new option SYNC_IN_CONTAINER to not fall", " back (Default off)", " + d/chronyd-starter.sh: wrapper to handle special cases in", " containers and if CAP_SYS_TIME is missing. Effectively allows", " running the NTP server in containers on a default installation", " and avoid failing to sync time (or if allowed to sync, avoid", " multiple containers fighting over it by accident).", " + d/install: Make chrony-starter.sh available on install.", " + d/docs, d/README.container: Provide documentation about the", " handling of this case.", " - d/rules, d/chrony.examples: Ship restricted service as an example", " not installed to the system for use. (See LP #2051028)", " - d/chrony.conf: remove Debian NTP pool and Document non-NTS sources from", " DHCP (LP #2115565)", " - Install Ubuntu NTP sources in", " /etc/chrony/sources.d/ubuntu-ntp-pools.sources, gated on a low priority", " (default yes) debconf question (LP #2048876):", " + d/templates: Add debconf question to customize installation of", " /etc/chrony/sources.d/ubuntu-ntp-pools.sources", " + d/install, d/ubuntu-ntp-pools.sources: Install ubuntu-ntp-pools.sources", " in /usr/share/chrony", " + d/control: add dependency on debconf", " + d/postinst: handle Ubuntu pools via debconf and ucf", " + d/postrm: handle Ubuntu pools via debconf and ucf", " + d/NEWS: Add information about default time sources moving out from", " chrony.conf to /etc/chrony/sources.d/ubuntu-ntp-pools.sources.", " + d/chrony.config: debconf script to handle Ubuntu pools", " + d/t/control, d/t/default-ubuntu-sources-behavior: new test to check the", " debconf behavior", " - Use Ubuntu NTS servers by default (LP #2084585):", " + d/conf.d/ubuntu-nts.conf: refer to the CA used to sign the NTS bootstrap", " server", " + d/nts-bootstrap-{,staging}-ubuntu.crt: CA certificate for the NTS", " bootstrap servers", " + d/install: install the NTS bootstrap CAs", " + d/ubuntu-ntp-pools.sources: use NTS by default", " + d/t/default-ubuntu-sources-behavior: update tests for NTS support", " + d/NEWS: add news entry about the NTS change", " - d/chrony.service: Allow real chronyd to send READY=1 via sd_notify in", " place of the chronyd-starter.sh wrapper.", " - d/control: Recommends: networkd-dispatcher (LP #2132159)", " - configure: switch sed separator from % to # to cope with dpkg", " * Dropped:", " - d/usr.sbin.chronyd: Grant access to NOTIFY_SOCKET in AppArmor profile.", " [In 4.7-2]", " * Added:", " - d/t/helper-functions: show some logs in case of failure", " - d/t/default-ubuntu-sources-behavior: use common __cleanup", " - d/usr.sbin.chronyd: adjust apparmor rule so that chronyd is also allowed", " to access subdirectories of /run/chrony", " - d/t/upstream-simulation-test-suite: revert update of clknetsim done in", " 4.8-1 which redefines __open64_2 and breaks armhf build", "" ], "package": "chrony", "version": "4.8-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2126001, 2122337 ], "author": "Andreas Hasenack ", "date": "Fri, 13 Feb 2026 15:50:10 -0300" }, { "cves": [], "log": [ "", " * debian/rules:", " - Specify default chronyc user. This is the user to which chronyc will", " switch when it is started under root.", "", " * debian/chrony.service:", " - Allow chronyd to run inside the Windows Subsystem for Linux.", " (LP: #2122337)", "", " * debian/watch:", " - Version: field should live in its own paragraph.", "" ], "package": "chrony", "version": "4.8-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2122337 ], "author": "Vincent Blut ", "date": "Tue, 14 Oct 2025 19:34:50 +0200" }, { "cves": [], "log": [ "", " * Import upstream version 4.8:", " - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.", "", " * Merge branch 'debian/unstable' into debian/latest.", "", " * Upload to unstable.", "", " * debian/chrony.sysusers:", " - Install a sysusers.d file to create the _chrony system user/group.", "", " * debian/control:", " - Build-depend on dh-sequence-installsysusers.", " - Drop unused adduser dependency.", "", " * debian/postinst:", " - Drop adduser invocation. The _chrony system user/group is now created", " using a sysusers.d fragment.", " - Allocate the _chrony system user/group before running dpkg-statoverride", " commands.", "", " * debian/postrm:", " - Don't delete the _chrony system user/group during purge.", " Deleting it is risky because sensitive files belonging to this uid might", " remain on the filesystem and could be recovered by another system user", " reusing the same uid.", "", " * debian/tests/upstream-simulation-test-suite:", " - Update clknetsim version.", " - Get clknetsim from Gitlab.", "", " * debian/watch:", " - Update to version 5.", "" ], "package": "chrony", "version": "4.8-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Vincent Blut ", "date": "Wed, 27 Aug 2025 15:22:42 +0200" }, { "cves": [], "log": [ "", " * Import upstream version 4.8-pre1:", " - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.", "", " * debian/control:", " - Drop 'Priority: optional'. dpkg sets it by default if omitted.", " - Drop 'Rules-Requires-Root: no'. dpkg sets it by default if omitted.", "", " * debian/copyright:", " - Add a few entries and update copyright year.", "", " * debian/test/upstream-simulation-test-suite:", " - Update clknetsim version.", "" ], "package": "chrony", "version": "4.8~pre1-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Vincent Blut ", "date": "Thu, 14 Aug 2025 17:46:23 +0200" }, { "cves": [], "log": [ "", " * debian/patches/:", " - Add skip-flaky-007-cmdmon-system-test.patch. Upstream system test", " 007-cmdmon fails intermittently. Skip it! (Closes: #1111222)", "" ], "package": "chrony", "version": "4.7-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Vincent Blut ", "date": "Sat, 16 Aug 2025 13:34:52 +0200" }, { "cves": [], "log": [ "", " [ Vincent Blut ]", " * Upload to unstable.", "", " * debian/control:", " - Suggest gpsd.", "", " [ Lukas Märdian ]", " * debian/usr.sbin.chronyd:", " - Grant access to sd_notify's $NOTIFY_SOCKET.", "" ], "package": "chrony", "version": "4.7-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Vincent Blut ", "date": "Sun, 10 Aug 2025 15:12:28 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-initramfs-copymods", "from_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.50", "version": "0.50" }, "to_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.51", "version": "0.51" }, "cves": [], "launchpad_bugs_fixed": [ 2125790, 2125790 ], "changes": [ { "cves": [], "log": [ "", " * Add autopkgtest to test copymods with dracut", " * overlayroot: support dracut overlayfs as alternative (LP: #2125790)", " * rooturl: support dracut livenet as alternative (LP: #2125790)", "" ], "package": "cloud-initramfs-tools", "version": "0.51", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125790, 2125790 ], "author": "Benjamin Drung ", "date": "Tue, 10 Feb 2026 16:23:59 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "cloud-initramfs-dyn-netconf", "from_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.50", "version": "0.50" }, "to_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.51", "version": "0.51" }, "cves": [], "launchpad_bugs_fixed": [ 2125790, 2125790 ], "changes": [ { "cves": [], "log": [ "", " * Add autopkgtest to test copymods with dracut", " * overlayroot: support dracut overlayfs as alternative (LP: #2125790)", " * rooturl: support dracut livenet as alternative (LP: #2125790)", "" ], "package": "cloud-initramfs-tools", "version": "0.51", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125790, 2125790 ], "author": "Benjamin Drung ", "date": "Tue, 10 Feb 2026 16:23:59 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "dirmngr", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "dracut-install", "from_version": { "source_package_name": "dracut", "source_package_version": "109-11ubuntu1", "version": "109-11ubuntu1" }, "to_version": { "source_package_name": "dracut", "source_package_version": "110-1ubuntu2", "version": "110-1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2133402 ], "changes": [ { "cves": [], "log": [ "", " * Drop test-skip-failing-MD-RAID-tests-cases-in-test-70-and-71.patch", " * Apply patches to fix failing autopkgtest 14-hooks:", " - fix(kernel-modules-export): use return instead of exit in pre-pivot hook", " - fix(memdisk): use return instead of exit in cmdline hook", " - fix(ppcmac): use return instead of exit in pre-udev hook", " - fix(syslog): use return instead of exit in initqueue/online hook", "" ], "package": "dracut", "version": "110-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 11 Feb 2026 17:43:47 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - autopkgtest: skip too slow 41-full-systemd on arm64 and armhf", " (see LP 2133401)", " - dracut-core: Declare breaking rust-coreutils before version 0.5.0", " * autopkgtest: run 43-kernel-install on arm64 again (LP: #2133402)", " * dracut-test: add run-qemu and test-functions", " * autopkgtest: depend on libarchive13t64 (fixed in systemd 259.1-1)", "" ], "package": "dracut", "version": "110-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2133402 ], "author": "Benjamin Drung ", "date": "Mon, 09 Feb 2026 13:20:58 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", " * Drop all patches applied upstream", " * dracut-core:", " - remove dropped uki-virt and no-xattr Dracut config", " - remove merged dracut-init.sh and dracut-version.sh", " - rename systemd-pcrphase to systemd-pcrextend", " - order systemd-cryptsetup after crypt Dracut module", " - add new memdisk Dracut module", " * dracut-network:", " - add new systemd-import Dracut module and suggest systemd-container for it", " - Drop network-legacy dracut module (and isc-dhcp-client support)", " * autopkgtest: add new upstream tests 14-hooks, 21-overlayfs, 31-livenet,", " and 45-systemd-import", " * autopkgtest: do not require make for running upstream tests", " * test: skip failing MD RAID tests cases in test 70 and 71 (mdadm 4.5 bug)", "" ], "package": "dracut", "version": "110-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Mon, 09 Feb 2026 02:05:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "eject", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ftp", "from_version": { "source_package_name": "tnftp", "source_package_version": "20230507-2build4", "version": "20230507-2build4" }, "to_version": { "source_package_name": "tnftp", "source_package_version": "20260211-1", "version": "20260211-1" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "tnftp", "version": "20230507-2build4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 01 Dec 2025 15:26:42 +0100" }, { "cves": [], "log": [ "", " * No change rebuild against libssl3t64.", "" ], "package": "tnftp", "version": "20230507-2build3", "urgency": "high", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 08 Apr 2024 16:50:55 +0200" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "tnftp", "version": "20230507-2build2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:20 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild against libssl3t64", "" ], "package": "tnftp", "version": "20230507-2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Tue, 05 Mar 2024 02:06:05 +0000" } ], "notes": null, "is_version_downgrade": true }, { "name": "gir1.2-girepository-3.0:s390x", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-2", "version": "2.87.2-2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.87.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Sat, 07 Feb 2026 10:29:16 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-glib-2.0:s390x", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-2", "version": "2.87.2-2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.87.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Sat, 07 Feb 2026 10:29:16 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg-l10n", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gnupg-utils", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg-agent", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpg-wks-client", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgconf", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgsm", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgv", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu2", "version": "2.4.8-4ubuntu2" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.8-4ubuntu3", "version": "2.4.8-4ubuntu3" }, "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-24882", "url": "https://ubuntu.com/security/CVE-2026-24882", "cve_description": "In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys.", "cve_priority": "medium", "cve_public_date": "2026-01-27 19:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: stack-based buffer overflow in tpm2daemon", " - debian/patches/CVE-2026-24882.patch: fix possible buffer overflow in", " PKDECRYPT in tpm2d/tpm2.c.", " - CVE-2026-24882", "" ], "package": "gnupg2", "version": "2.4.8-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 29 Jan 2026 08:57:30 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "iproute2", "from_version": { "source_package_name": "iproute2", "source_package_version": "6.16.0-1ubuntu3", "version": "6.16.0-1ubuntu3" }, "to_version": { "source_package_name": "iproute2", "source_package_version": "6.18.0-1ubuntu1", "version": "6.18.0-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge from debian/sid (6.18). Remaining changes:", " - Ubuntu FAN support", " * Dropped because those changes are already included in the rebase:", " - /d/p/1004-Sync-UAPI-if_link.h-with-Linux-6.17.patch", " - /d/p/2001-lib-Update-backend-of-print_size-to-accept-64-bit-si.patch", " - /d/p/2002-tc-Add-get_size64-and-get_size64_and_cell.patch", " - /d/p/2003-tc-Expand-tc_calc_xmittime-tc_calc_xmitsize-to-u64.patch", " - /d/p/2004-tc-police-enable-use-of-64-bit-burst-parameter.patch", "" ], "package": "iproute2", "version": "6.18.0-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Wed, 28 Jan 2026 10:07:38 +0100" }, { "cves": [], "log": [ "", " * Update upstream source from tag 'upstream/6.18.0'", " * Install new netshaper program", "" ], "package": "iproute2", "version": "6.18.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Luca Boccassi ", "date": "Thu, 04 Dec 2025 16:52:57 +0000" }, { "cves": [], "log": [ "", " * Update upstream source from tag 'upstream/6.17.0'", " * Add override for typo false positive", "" ], "package": "iproute2", "version": "6.17.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Luca Boccassi ", "date": "Fri, 03 Oct 2025 21:32:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "iptables", "from_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu2", "version": "1.8.11-2ubuntu2" }, "to_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu3", "version": "1.8.11-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "iptables", "version": "1.8.11-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:26:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "kmod", "from_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu1", "version": "34.2-2ubuntu1" }, "to_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu2", "version": "34.2-2ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "kmod", "version": "34.2-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:29:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1:s390x", "from_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~alpha1-0ubuntu9", "version": "5.0.0~alpha1-0ubuntu9" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~alpha1-0ubuntu11", "version": "5.0.0~alpha1-0ubuntu11" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Add patch to fix utils flake8 FTBFS:", " - d/p/u/utils-remove-global-_-from-aa-notify-main.patch", " * Add patches to fix python3-libapparmor FTBFS:", " - d/p/u/0001-libapparmor-change-setup.py-to-remove-the-need-for-_.patch", " - d/p/u/0002-libapparmor-remove-__init__.py-not-needed-for-SWIG-P.patch", " * Add patch to fix utils testing with non-default Python:", " - d/p/u/utils-test-use-sys.executable-when-launching-aa-show.patch", " * debian/python3-libapparmor.install: include new location of Python", " _LibAppArmor*.so libraries", " * debian/rules:", " - revert hardcoding of python3.13 as workaround of", " python3.14-tk breakage", " - remove __pycache__ directory generated by python3-libapparmor build", "" ], "package": "apparmor", "version": "5.0.0~alpha1-0ubuntu11", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Ryan Lee ", "date": "Mon, 26 Jan 2026 11:08:37 -0800" }, { "cves": [], "log": [ "", " * Another no-change rebuild with Python 3.14 for amd64v3", "" ], "package": "apparmor", "version": "5.0.0~alpha1-0ubuntu10", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Sun, 18 Jan 2026 18:35:09 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libatomic1:s390x", "from_version": { "source_package_name": "gcc-15", "source_package_version": "15.2.0-12ubuntu1", "version": "15.2.0-12ubuntu1" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260210-0ubuntu1", "version": "16-20260210-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260210).", " * Fix build when building without common libraries.", "" ], "package": "gcc-16", "version": "16-20260210-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 10 Feb 2026 01:42:25 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260208-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 13:09:34 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260208).", "" ], "package": "gcc-16", "version": "16-20260208-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 11:23:36 +0100" }, { "cves": [], "log": [ "", " * Ignore dh_shlibdeps failure for libcc1 for now.", "" ], "package": "gcc-16", "version": "16-20260207-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Feb 2026 17:11:49 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260207).", " * Update sh4 LRA patches (Adrian Glaubitz). Closes: #1126958.", " * Build again gnat cross compiler for sh4.", " * Update libcc1 and libgphobos symbols files.", "" ], "package": "gcc-16", "version": "16-20260207-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Feb 2026 11:25:14 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260203-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 17:10:34 +0100" }, { "cves": [], "log": [ "", " * Apply proposed patch for PR d/123953, fixing ftbfs on ppc64le.", "" ], "package": "gcc-16", "version": "16-20260203-2", "urgency": "medium", "distributions": "expperimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 16:45:07 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260203).", " * Update newlib to 4.6.0.20260123.", " * Allow configuring libxml2 include and lib directories.", " * Build-depend on libxml2-source for the cross builds, and generate", " Built-Using for libgcobol built using libxml2-source.", " * Update libga68 and libgcobol symbols files.", " * d/tests/control: Update dependencies for 16 (Michael R. Crusoe).", " Closes: #1126131.", " * Add again build dependency on python3-check-jsonschema, needed for tests.", " * Fix D #22463: SOURCE_DATE_EPOCH parsing incorrectly affected by system", " timezone. Addresses: #1126512.", " * Add the results of the usage-wrapper into the binary packages.", " * Require 6GB memory/CPU for Ubuntu/riscv64 builds. Failing builds without", " build logs.", " * Refresh patches.", " * Update libgphobos7 symbols file for amd64.", "" ], "package": "gcc-16", "version": "16-20260203-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 12:04:58 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260119-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 19 Jan 2026 10:32:42 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260119).", " * lib*gcc-N-dev: Install lib{atomic,gcc_s}_asneeded linker scripts.", " * Import updated sanitizer symbols files from GCC 15.", " * Enable PAC/BTI/GCS on arm64 for libgfortran (Emanuele Rocca).", " Closes: #1123084.", " * Don't complain about missing gccrs and gcobc man pages.", "" ], "package": "gcc-16", "version": "16-20260119-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 19 Jan 2026 10:29:59 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251214).", " * Log the available disk space for the build.", " * Disable cobol for cross builds for now. Requires a libxml2 build", " for the target.", " * Build liblsan and libtsan on s390x.", " * Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20251214-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 14 Dec 2025 09:21:28 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251210).", "" ], "package": "gcc-16", "version": "16-20251210-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 10 Dec 2025 12:17:05 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251210).", " * Don't rely on python3-check-jsonschema for testing, still having", " unpackaged dependencies.", " * Disable profiled build on powerpc for now.", "" ], "package": "gcc-16", "version": "16-20251210-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 10 Dec 2025 12:13:23 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251202).", "" ], "package": "gcc-16", "version": "16-20251202-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 02 Dec 2025 16:55:42 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251202).", " * Install Algol-68 upstream changelogs.", " * d/NEWS.html: Update for 16, the test file NEWS.gcc is still for 15.", " * d/p/ada-tv_nsec-size.diff: Update for 16. Upstream status?", " * d/copyright*: Update download locations.", " * Override so wrong lintian error about size of Binary field length.", " * Disabled profiled build on i386, see PR ada/122934.", " * Update libhwasan, liblsan, libtsan and libubsan symbols files.", "" ], "package": "gcc-16", "version": "16-20251202-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 02 Dec 2025 16:51:01 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251130).", "" ], "package": "gcc-16", "version": "16-20251130-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 30 Nov 2025 22:33:13 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251130).", " * Build using amdgcn-tools-21 instead of -19.", " * Update build dependencies for gcobol.", " * Disable profiled build on armhf. See PR target/121821, PR target/122815.", " * Update libga68, libgfortran, libgomp and libstdc++ symbols files.", " * Explicitly bump the libgphobos soname.", " * Refresh patches.", " * Fix some lintian warnings, override some more.", "" ], "package": "gcc-16", "version": "16-20251130-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 30 Nov 2025 15:14:37 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251123).", "" ], "package": "gcc-16", "version": "16-20251123-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 23 Nov 2025 12:49:38 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251123).", " * Build using amdgcn-tools-21 instead of -19.", "" ], "package": "gcc-16", "version": "16-20251123-1", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 23 Nov 2025 08:54:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libblkid1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libbrotli1:s390x", "from_version": { "source_package_name": "brotli", "source_package_version": "1.1.0-2build6", "version": "1.1.0-2build6" }, "to_version": { "source_package_name": "brotli", "source_package_version": "1.2.0-3", "version": "1.2.0-3" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild with Python 3.14 as supported version", "" ], "package": "brotli", "version": "1.1.0-2build6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Sat, 18 Oct 2025 13:14:51 +0000" }, { "cves": [], "log": [ "", " * Rebuild to include updated RISC-V base ISA RVA23", "" ], "package": "brotli", "version": "1.1.0-2build5", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Heinrich Schuchardt ", "date": "Wed, 03 Sep 2025 15:05:26 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild with Python 3.13 only", "" ], "package": "brotli", "version": "1.1.0-2build4", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Graham Inggs ", "date": "Tue, 04 Mar 2025 21:46:54 +0000" }, { "cves": [], "log": [ "", " * SRU: #2083480: No-change rebuild to add support for Python 3.13.", "" ], "package": "brotli", "version": "1.1.0-2build3", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 13 Nov 2024 09:58:58 +0100" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "brotli", "version": "1.1.0-2build2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 07:29:06 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild to build with python3.12 only.", "" ], "package": "brotli", "version": "1.1.0-2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 16 Mar 2024 23:14:24 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "libc-bin", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu4", "version": "2.42-2ubuntu4" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-2ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 14:27:46 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc-gconv-modules-extra:s390x", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu4", "version": "2.42-2ubuntu4" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-2ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 14:27:46 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libc6:s390x", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu4", "version": "2.42-2ubuntu4" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-2ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 14:27:46 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdisk1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfido2-1:s390x", "from_version": { "source_package_name": "libfido2", "source_package_version": "1.16.0-2", "version": "1.16.0-2" }, "to_version": { "source_package_name": "libfido2", "source_package_version": "1.16.0-2build1", "version": "1.16.0-2build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "libfido2", "version": "1.16.0-2build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:35:02 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfyaml0:s390x", "from_version": { "source_package_name": "libfyaml", "source_package_version": "0.9.3-1", "version": "0.9.3-1" }, "to_version": { "source_package_name": "libfyaml", "source_package_version": "0.9.4-1", "version": "0.9.4-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version 0.9.4", " * Update libfyaml0.symbols", "" ], "package": "libfyaml", "version": "0.9.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Röhling ", "date": "Thu, 12 Feb 2026 18:19:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcc-s1:s390x", "from_version": { "source_package_name": "gcc-15", "source_package_version": "15.2.0-12ubuntu1", "version": "15.2.0-12ubuntu1" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260210-0ubuntu1", "version": "16-20260210-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260210).", " * Fix build when building without common libraries.", "" ], "package": "gcc-16", "version": "16-20260210-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 10 Feb 2026 01:42:25 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260208-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 13:09:34 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260208).", "" ], "package": "gcc-16", "version": "16-20260208-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 11:23:36 +0100" }, { "cves": [], "log": [ "", " * Ignore dh_shlibdeps failure for libcc1 for now.", "" ], "package": "gcc-16", "version": "16-20260207-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Feb 2026 17:11:49 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260207).", " * Update sh4 LRA patches (Adrian Glaubitz). Closes: #1126958.", " * Build again gnat cross compiler for sh4.", " * Update libcc1 and libgphobos symbols files.", "" ], "package": "gcc-16", "version": "16-20260207-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Feb 2026 11:25:14 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260203-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 17:10:34 +0100" }, { "cves": [], "log": [ "", " * Apply proposed patch for PR d/123953, fixing ftbfs on ppc64le.", "" ], "package": "gcc-16", "version": "16-20260203-2", "urgency": "medium", "distributions": "expperimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 16:45:07 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260203).", " * Update newlib to 4.6.0.20260123.", " * Allow configuring libxml2 include and lib directories.", " * Build-depend on libxml2-source for the cross builds, and generate", " Built-Using for libgcobol built using libxml2-source.", " * Update libga68 and libgcobol symbols files.", " * d/tests/control: Update dependencies for 16 (Michael R. Crusoe).", " Closes: #1126131.", " * Add again build dependency on python3-check-jsonschema, needed for tests.", " * Fix D #22463: SOURCE_DATE_EPOCH parsing incorrectly affected by system", " timezone. Addresses: #1126512.", " * Add the results of the usage-wrapper into the binary packages.", " * Require 6GB memory/CPU for Ubuntu/riscv64 builds. Failing builds without", " build logs.", " * Refresh patches.", " * Update libgphobos7 symbols file for amd64.", "" ], "package": "gcc-16", "version": "16-20260203-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 12:04:58 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260119-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 19 Jan 2026 10:32:42 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260119).", " * lib*gcc-N-dev: Install lib{atomic,gcc_s}_asneeded linker scripts.", " * Import updated sanitizer symbols files from GCC 15.", " * Enable PAC/BTI/GCS on arm64 for libgfortran (Emanuele Rocca).", " Closes: #1123084.", " * Don't complain about missing gccrs and gcobc man pages.", "" ], "package": "gcc-16", "version": "16-20260119-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 19 Jan 2026 10:29:59 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251214).", " * Log the available disk space for the build.", " * Disable cobol for cross builds for now. Requires a libxml2 build", " for the target.", " * Build liblsan and libtsan on s390x.", " * Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20251214-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 14 Dec 2025 09:21:28 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251210).", "" ], "package": "gcc-16", "version": "16-20251210-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 10 Dec 2025 12:17:05 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251210).", " * Don't rely on python3-check-jsonschema for testing, still having", " unpackaged dependencies.", " * Disable profiled build on powerpc for now.", "" ], "package": "gcc-16", "version": "16-20251210-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 10 Dec 2025 12:13:23 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251202).", "" ], "package": "gcc-16", "version": "16-20251202-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 02 Dec 2025 16:55:42 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251202).", " * Install Algol-68 upstream changelogs.", " * d/NEWS.html: Update for 16, the test file NEWS.gcc is still for 15.", " * d/p/ada-tv_nsec-size.diff: Update for 16. Upstream status?", " * d/copyright*: Update download locations.", " * Override so wrong lintian error about size of Binary field length.", " * Disabled profiled build on i386, see PR ada/122934.", " * Update libhwasan, liblsan, libtsan and libubsan symbols files.", "" ], "package": "gcc-16", "version": "16-20251202-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 02 Dec 2025 16:51:01 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251130).", "" ], "package": "gcc-16", "version": "16-20251130-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 30 Nov 2025 22:33:13 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251130).", " * Build using amdgcn-tools-21 instead of -19.", " * Update build dependencies for gcobol.", " * Disable profiled build on armhf. See PR target/121821, PR target/122815.", " * Update libga68, libgfortran, libgomp and libstdc++ symbols files.", " * Explicitly bump the libgphobos soname.", " * Refresh patches.", " * Fix some lintian warnings, override some more.", "" ], "package": "gcc-16", "version": "16-20251130-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 30 Nov 2025 15:14:37 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251123).", "" ], "package": "gcc-16", "version": "16-20251123-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 23 Nov 2025 12:49:38 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251123).", " * Build using amdgcn-tools-21 instead of -19.", "" ], "package": "gcc-16", "version": "16-20251123-1", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 23 Nov 2025 08:54:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgirepository-2.0-0:s390x", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-2", "version": "2.87.2-2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.87.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Sat, 07 Feb 2026 10:29:16 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0t64:s390x", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-2", "version": "2.87.2-2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.87.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Sat, 07 Feb 2026 10:29:16 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-bin", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-2", "version": "2.87.2-2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.87.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Sat, 07 Feb 2026 10:29:16 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-data", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-2", "version": "2.87.2-2" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.87.2-3", "version": "2.87.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Release to unstable", "" ], "package": "glib2.0", "version": "2.87.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jeremy Bícha ", "date": "Sat, 07 Feb 2026 10:29:16 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgmp10:s390x", "from_version": { "source_package_name": "gmp", "source_package_version": "2:6.3.0+dfsg-5ubuntu1", "version": "2:6.3.0+dfsg-5ubuntu1" }, "to_version": { "source_package_name": "gmp", "source_package_version": "2:6.3.0+dfsg-5ubuntu2", "version": "2:6.3.0+dfsg-5ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "gmp", "version": "2:6.3.0+dfsg-5ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Fri, 06 Feb 2026 21:18:28 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libintl-perl", "from_version": { "source_package_name": "libintl-perl", "source_package_version": "1.35-1", "version": "1.35-1" }, "to_version": { "source_package_name": "libintl-perl", "source_package_version": "1.37-1", "version": "1.37-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload.", " * Import upstream version 1.37.", " * Update years of upstream copyright.", " * Add debian/NEWS.Developer with relevant upstream changes.", " * Refresh spelling.patch: offset.", " * Declare compliance with Debian Policy 4.7.3.", " * Remove «Rules-Requires-Root: no», which is the current default.", " * Remove «Priority: optional», which is the current default.", "" ], "package": "libintl-perl", "version": "1.37-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "gregor herrmann ", "date": "Sun, 08 Feb 2026 17:45:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libintl-xs-perl", "from_version": { "source_package_name": "libintl-perl", "source_package_version": "1.35-1", "version": "1.35-1" }, "to_version": { "source_package_name": "libintl-perl", "source_package_version": "1.37-1", "version": "1.37-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload.", " * Import upstream version 1.37.", " * Update years of upstream copyright.", " * Add debian/NEWS.Developer with relevant upstream changes.", " * Refresh spelling.patch: offset.", " * Declare compliance with Debian Policy 4.7.3.", " * Remove «Rules-Requires-Root: no», which is the current default.", " * Remove «Priority: optional», which is the current default.", "" ], "package": "libintl-perl", "version": "1.37-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "gregor herrmann ", "date": "Sun, 08 Feb 2026 17:45:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libip4tc2:s390x", "from_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu2", "version": "1.8.11-2ubuntu2" }, "to_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu3", "version": "1.8.11-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "iptables", "version": "1.8.11-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:26:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libip6tc2:s390x", "from_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu2", "version": "1.8.11-2ubuntu2" }, "to_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu3", "version": "1.8.11-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "iptables", "version": "1.8.11-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:26:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libjson-c5:s390x", "from_version": { "source_package_name": "json-c", "source_package_version": "0.18+ds-1.1", "version": "0.18+ds-1.1" }, "to_version": { "source_package_name": "json-c", "source_package_version": "0.18+ds-2", "version": "0.18+ds-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Enforce higher CMake policy version in autopkgtest (Closes: #1113062)", " * d/control: Update standards version to 4.7.3", " * d/watch: upgrade to version 5", " * d/control: Remove Priority option", " * d/control: Remove Rules-Requires-Root option", "" ], "package": "json-c", "version": "0.18+ds-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nicolas Mora ", "date": "Wed, 11 Feb 2026 07:25:52 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libkmod2:s390x", "from_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu1", "version": "34.2-2ubuntu1" }, "to_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu2", "version": "34.2-2ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "kmod", "version": "34.2-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:29:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblastlog2-2:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmount1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnghttp2-14:s390x", "from_version": { "source_package_name": "nghttp2", "source_package_version": "1.64.0-1.1ubuntu1", "version": "1.64.0-1.1ubuntu1" }, "to_version": { "source_package_name": "nghttp2", "source_package_version": "1.64.0-1.1ubuntu2", "version": "1.64.0-1.1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "nghttp2", "version": "1.64.0-1.1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Wed, 11 Feb 2026 23:36:42 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnl-3-200:s390x", "from_version": { "source_package_name": "libnl3", "source_package_version": "3.11.0-2", "version": "3.11.0-2" }, "to_version": { "source_package_name": "libnl3", "source_package_version": "3.12.0-2", "version": "3.12.0-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/watch: fix version mangling, disable pgp mangle.", " upstream key is not good enough anymore.", "" ], "package": "libnl3", "version": "3.12.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 06 Jan 2026 01:29:37 +0100" }, { "cves": [], "log": [ "", " * New upstream version 3.12.0", " * Rebase patches", " * Update symbols for 3.12", " * d/watch: fix version mangling for underscores", "" ], "package": "libnl3", "version": "3.12.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Fri, 19 Dec 2025 15:53:54 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnl-genl-3-200:s390x", "from_version": { "source_package_name": "libnl3", "source_package_version": "3.11.0-2", "version": "3.11.0-2" }, "to_version": { "source_package_name": "libnl3", "source_package_version": "3.12.0-2", "version": "3.12.0-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/watch: fix version mangling, disable pgp mangle.", " upstream key is not good enough anymore.", "" ], "package": "libnl3", "version": "3.12.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 06 Jan 2026 01:29:37 +0100" }, { "cves": [], "log": [ "", " * New upstream version 3.12.0", " * Rebase patches", " * Update symbols for 3.12", " * d/watch: fix version mangling for underscores", "" ], "package": "libnl3", "version": "3.12.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Fri, 19 Dec 2025 15:53:54 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnl-route-3-200:s390x", "from_version": { "source_package_name": "libnl3", "source_package_version": "3.11.0-2", "version": "3.11.0-2" }, "to_version": { "source_package_name": "libnl3", "source_package_version": "3.12.0-2", "version": "3.12.0-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/watch: fix version mangling, disable pgp mangle.", " upstream key is not good enough anymore.", "" ], "package": "libnl3", "version": "3.12.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Tue, 06 Jan 2026 01:29:37 +0100" }, { "cves": [], "log": [ "", " * New upstream version 3.12.0", " * Rebase patches", " * Update symbols for 3.12", " * d/watch: fix version mangling for underscores", "" ], "package": "libnl3", "version": "3.12.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Fri, 19 Dec 2025 15:53:54 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnuma1:s390x", "from_version": { "source_package_name": "numactl", "source_package_version": "2.0.19-1", "version": "2.0.19-1" }, "to_version": { "source_package_name": "numactl", "source_package_version": "2.0.19-1build1", "version": "2.0.19-1build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "numactl", "version": "2.0.19-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:31:08 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libopeniscsiusr", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu1", "version": "2.1.11-3ubuntu1" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu2", "version": "2.1.11-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2139084 ], "changes": [ { "cves": [], "log": [ "", " * Resize cloud image used for testing to avoid out-of-space errors", " (LP: #2139084):", " - d/t/test-open-iscsi.py: increase the size of the downloaded image", " - d/t/control: add cloud-guest-utils to dependencies due to", " growpart", "" ], "package": "open-iscsi", "version": "2.1.11-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139084 ], "author": "Andreas Hasenack ", "date": "Wed, 28 Jan 2026 10:50:31 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules:s390x", "from_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu2", "version": "1.7.0-5ubuntu2" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu3", "version": "1.7.0-5ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "pam", "version": "1.7.0-5ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:33:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-modules-bin", "from_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu2", "version": "1.7.0-5ubuntu2" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu3", "version": "1.7.0-5ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "pam", "version": "1.7.0-5ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:33:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-runtime", "from_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu2", "version": "1.7.0-5ubuntu2" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu3", "version": "1.7.0-5ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "pam", "version": "1.7.0-5ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:33:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam0g:s390x", "from_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu2", "version": "1.7.0-5ubuntu2" }, "to_version": { "source_package_name": "pam", "source_package_version": "1.7.0-5ubuntu3", "version": "1.7.0-5ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "pam", "version": "1.7.0-5ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:33:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpcre2-8-0:s390x", "from_version": { "source_package_name": "pcre2", "source_package_version": "10.46-1", "version": "10.46-1" }, "to_version": { "source_package_name": "pcre2", "source_package_version": "10.46-1build1", "version": "10.46-1build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "pcre2", "version": "10.46-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:34:18 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64:s390x", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.54-1", "version": "1.6.54-1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.55-1", "version": "1.6.55-1" }, "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-25646", "url": "https://ubuntu.com/security/CVE-2026-25646", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.", "cve_priority": "medium", "cve_public_date": "2026-02-10 18:16:00 UTC" } ], "log": [ "", " * New upstream version 1.6.55", " - CVE-2026-25646 (Closes: #1127566)", " * Bump std-version to 4.7.3, no changes required", " * Drop R^3: no, default now", "" ], "package": "libpng1.6", "version": "1.6.55-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Thu, 12 Feb 2026 10:55:21 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpolkit-agent-1-0:s390x", "from_version": { "source_package_name": "policykit-1", "source_package_version": "127-1", "version": "127-1" }, "to_version": { "source_package_name": "policykit-1", "source_package_version": "127-2", "version": "127-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Andrew Bower ]", " * Fix #1125142 for systems without systemd-sysv installed", "", " [ Luca Boccassi ]", " * Drop priority from d/control, now defaults to optional", " * Bump Standards-version to 4.7.3", " * Set the reboot-required flag when upgrading from << 127 (Closes:", " #1125141)", "" ], "package": "policykit-1", "version": "127-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Luca Boccassi ", "date": "Mon, 09 Feb 2026 14:37:46 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpolkit-gobject-1-0:s390x", "from_version": { "source_package_name": "policykit-1", "source_package_version": "127-1", "version": "127-1" }, "to_version": { "source_package_name": "policykit-1", "source_package_version": "127-2", "version": "127-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Andrew Bower ]", " * Fix #1125142 for systems without systemd-sysv installed", "", " [ Luca Boccassi ]", " * Drop priority from d/control, now defaults to optional", " * Bump Standards-version to 4.7.3", " * Set the reboot-required flag when upgrading from << 127 (Closes:", " #1125141)", "" ], "package": "policykit-1", "version": "127-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Luca Boccassi ", "date": "Mon, 09 Feb 2026 14:37:46 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-minimal:s390x", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.11-1", "version": "3.13.11-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Python 3.13.12.", " - Ensures that Element & Attr instances have the ownerDocument", " attribute. Closes: #1122875", " - Reject control characters in wsgiref.headers.Headers. Closes: #1126740,", " CVE-2026-0865.", " - email: verify headers are sound in BytesGenerator. Closes: #1126745,", " CVE-2026-1299.", " - Reject control characters in http cookies. Closes: #1126762,", " CVE-2026-0672.", " - Reject control characters in data: URL mediatype. Closes: #1126780,", " CVE-2025-15282.", " - email: Preserve parens when folding comments. Closes: #1126787,", " CVE-2025-11468.", " * Refresh patches.", " * Drop m68k patch, merged upstream.", " * Drop -Os from CFLAGS for sh4. Closes: #1122045", " * Patch: Handle missing _pyrepl in _sitebuiltins under python3.13-minimal.", "" ], "package": "python3.13", "version": "3.13.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 04 Feb 2026 11:06:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-stdlib:s390x", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.11-1", "version": "3.13.11-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Python 3.13.12.", " - Ensures that Element & Attr instances have the ownerDocument", " attribute. Closes: #1122875", " - Reject control characters in wsgiref.headers.Headers. Closes: #1126740,", " CVE-2026-0865.", " - email: verify headers are sound in BytesGenerator. Closes: #1126745,", " CVE-2026-1299.", " - Reject control characters in http cookies. Closes: #1126762,", " CVE-2026-0672.", " - Reject control characters in data: URL mediatype. Closes: #1126780,", " CVE-2025-15282.", " - email: Preserve parens when folding comments. Closes: #1126787,", " CVE-2025-11468.", " * Refresh patches.", " * Drop m68k patch, merged upstream.", " * Drop -Os from CFLAGS for sh4. Closes: #1122045", " * Patch: Handle missing _pyrepl in _sitebuiltins under python3.13-minimal.", "" ], "package": "python3.13", "version": "3.13.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 04 Feb 2026 11:06:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsmartcols1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libstdc++6:s390x", "from_version": { "source_package_name": "gcc-15", "source_package_version": "15.2.0-12ubuntu1", "version": "15.2.0-12ubuntu1" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260210-0ubuntu1", "version": "16-20260210-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260210).", " * Fix build when building without common libraries.", "" ], "package": "gcc-16", "version": "16-20260210-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 10 Feb 2026 01:42:25 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260208-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 13:09:34 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260208).", "" ], "package": "gcc-16", "version": "16-20260208-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 11:23:36 +0100" }, { "cves": [], "log": [ "", " * Ignore dh_shlibdeps failure for libcc1 for now.", "" ], "package": "gcc-16", "version": "16-20260207-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Feb 2026 17:11:49 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260207).", " * Update sh4 LRA patches (Adrian Glaubitz). Closes: #1126958.", " * Build again gnat cross compiler for sh4.", " * Update libcc1 and libgphobos symbols files.", "" ], "package": "gcc-16", "version": "16-20260207-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 07 Feb 2026 11:25:14 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260203-2ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 17:10:34 +0100" }, { "cves": [], "log": [ "", " * Apply proposed patch for PR d/123953, fixing ftbfs on ppc64le.", "" ], "package": "gcc-16", "version": "16-20260203-2", "urgency": "medium", "distributions": "expperimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 16:45:07 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260203).", " * Update newlib to 4.6.0.20260123.", " * Allow configuring libxml2 include and lib directories.", " * Build-depend on libxml2-source for the cross builds, and generate", " Built-Using for libgcobol built using libxml2-source.", " * Update libga68 and libgcobol symbols files.", " * d/tests/control: Update dependencies for 16 (Michael R. Crusoe).", " Closes: #1126131.", " * Add again build dependency on python3-check-jsonschema, needed for tests.", " * Fix D #22463: SOURCE_DATE_EPOCH parsing incorrectly affected by system", " timezone. Addresses: #1126512.", " * Add the results of the usage-wrapper into the binary packages.", " * Require 6GB memory/CPU for Ubuntu/riscv64 builds. Failing builds without", " build logs.", " * Refresh patches.", " * Update libgphobos7 symbols file for amd64.", "" ], "package": "gcc-16", "version": "16-20260203-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 03 Feb 2026 12:04:58 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260119-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 19 Jan 2026 10:32:42 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260119).", " * lib*gcc-N-dev: Install lib{atomic,gcc_s}_asneeded linker scripts.", " * Import updated sanitizer symbols files from GCC 15.", " * Enable PAC/BTI/GCS on arm64 for libgfortran (Emanuele Rocca).", " Closes: #1123084.", " * Don't complain about missing gccrs and gcobc man pages.", "" ], "package": "gcc-16", "version": "16-20260119-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Mon, 19 Jan 2026 10:29:59 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251214).", " * Log the available disk space for the build.", " * Disable cobol for cross builds for now. Requires a libxml2 build", " for the target.", " * Build liblsan and libtsan on s390x.", " * Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20251214-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 14 Dec 2025 09:21:28 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251210).", "" ], "package": "gcc-16", "version": "16-20251210-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 10 Dec 2025 12:17:05 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251210).", " * Don't rely on python3-check-jsonschema for testing, still having", " unpackaged dependencies.", " * Disable profiled build on powerpc for now.", "" ], "package": "gcc-16", "version": "16-20251210-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 10 Dec 2025 12:13:23 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251202).", "" ], "package": "gcc-16", "version": "16-20251202-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 02 Dec 2025 16:55:42 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251202).", " * Install Algol-68 upstream changelogs.", " * d/NEWS.html: Update for 16, the test file NEWS.gcc is still for 15.", " * d/p/ada-tv_nsec-size.diff: Update for 16. Upstream status?", " * d/copyright*: Update download locations.", " * Override so wrong lintian error about size of Binary field length.", " * Disabled profiled build on i386, see PR ada/122934.", " * Update libhwasan, liblsan, libtsan and libubsan symbols files.", "" ], "package": "gcc-16", "version": "16-20251202-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 02 Dec 2025 16:51:01 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251130).", "" ], "package": "gcc-16", "version": "16-20251130-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 30 Nov 2025 22:33:13 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251130).", " * Build using amdgcn-tools-21 instead of -19.", " * Update build dependencies for gcobol.", " * Disable profiled build on armhf. See PR target/121821, PR target/122815.", " * Update libga68, libgfortran, libgomp and libstdc++ symbols files.", " * Explicitly bump the libgphobos soname.", " * Refresh patches.", " * Fix some lintian warnings, override some more.", "" ], "package": "gcc-16", "version": "16-20251130-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 30 Nov 2025 15:14:37 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251123).", "" ], "package": "gcc-16", "version": "16-20251123-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 23 Nov 2025 12:49:38 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20251123).", " * Build using amdgcn-tools-21 instead of -19.", "" ], "package": "gcc-16", "version": "16-20251123-1", "urgency": "medium", "distributions": "UNRELEASED", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 23 Nov 2025 08:54:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libuuid1:s390x", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libx11-6:s390x", "from_version": { "source_package_name": "libx11", "source_package_version": "2:1.8.12-1build1", "version": "2:1.8.12-1build1" }, "to_version": { "source_package_name": "libx11", "source_package_version": "2:1.8.12-1build2", "version": "2:1.8.12-1build2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "libx11", "version": "2:1.8.12-1build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:44:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libx11-data", "from_version": { "source_package_name": "libx11", "source_package_version": "2:1.8.12-1build1", "version": "2:1.8.12-1build1" }, "to_version": { "source_package_name": "libx11", "source_package_version": "2:1.8.12-1build2", "version": "2:1.8.12-1build2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "libx11", "version": "2:1.8.12-1build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:44:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libxtables12:s390x", "from_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu2", "version": "1.8.11-2ubuntu2" }, "to_version": { "source_package_name": "iptables", "source_package_version": "1.8.11-2ubuntu3", "version": "1.8.11-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "iptables", "version": "1.8.11-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:26:26 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libyaml-0-2:s390x", "from_version": { "source_package_name": "libyaml", "source_package_version": "0.2.5-2build2", "version": "0.2.5-2build2" }, "to_version": { "source_package_name": "libyaml", "source_package_version": "0.2.5-2build3", "version": "0.2.5-2build3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "libyaml", "version": "0.2.5-2build3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:45:09 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-base", "from_version": { "source_package_name": "linux-base", "source_package_version": "4.14ubuntu2", "version": "4.14ubuntu2" }, "to_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu3", "version": "4.15ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 1877088, 1929255, 1928700, 1867820, 1881338, 1932582, 2018128, 2098735 ], "changes": [ { "cves": [], "log": [ "", " * d/linux-base.links: Add new linux-firmware links.", "" ], "package": "linux-base", "version": "4.15ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Juerg Haefliger ", "date": "Fri, 13 Feb 2026 09:01:21 +0100" }, { "cves": [], "log": [ "", " * d/linux-base.links: Add new links for Resolute.", "" ], "package": "linux-base", "version": "4.15ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Juerg Haefliger ", "date": "Wed, 11 Feb 2026 07:56:18 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Default to link_in_boot by default, on all architectures.", " - Add kernel postinst hook to update initrd softlinks to match the kernel", " version targets (LP: #1877088, #1929255).", " - Check for update-initramfs being installed before running the postinst", " hook which updates the softlinks (LP: #1928700).", " - Add linux-base-sgx package with SGX udev rules (LP: #1867820, #1881338,", " #1932582).", " - Add Apport package hook and links for kernel packages (LP: #2018128,", " #2098735).", " - Change package maintainer to Ubuntu Kernel Team.", " - Fix linux-base-sgx lintian warnings and add overrides.", "" ], "package": "linux-base", "version": "4.15ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1877088, 1929255, 1928700, 1867820, 1881338, 1932582, 2018128, 2098735 ], "author": "Juerg Haefliger ", "date": "Mon, 09 Feb 2026 11:34:35 +0100" }, { "cves": [], "log": [ "", " * linux-run-hooks(1): Fix description of the first argument", " * linux-run-hooks: Use compatible hook dir names for headers packages", " (Closes: #1121366)", " * Add Chinese debconf template translations (Yangfl) (Closes: #1124409)", "" ], "package": "linux-base", "version": "4.15", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ben Hutchings ", "date": "Thu, 08 Jan 2026 19:41:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-sysctl-defaults", "from_version": { "source_package_name": "linux-base", "source_package_version": "4.14ubuntu2", "version": "4.14ubuntu2" }, "to_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu3", "version": "4.15ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 1877088, 1929255, 1928700, 1867820, 1881338, 1932582, 2018128, 2098735 ], "changes": [ { "cves": [], "log": [ "", " * d/linux-base.links: Add new linux-firmware links.", "" ], "package": "linux-base", "version": "4.15ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Juerg Haefliger ", "date": "Fri, 13 Feb 2026 09:01:21 +0100" }, { "cves": [], "log": [ "", " * d/linux-base.links: Add new links for Resolute.", "" ], "package": "linux-base", "version": "4.15ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Juerg Haefliger ", "date": "Wed, 11 Feb 2026 07:56:18 +0100" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Default to link_in_boot by default, on all architectures.", " - Add kernel postinst hook to update initrd softlinks to match the kernel", " version targets (LP: #1877088, #1929255).", " - Check for update-initramfs being installed before running the postinst", " hook which updates the softlinks (LP: #1928700).", " - Add linux-base-sgx package with SGX udev rules (LP: #1867820, #1881338,", " #1932582).", " - Add Apport package hook and links for kernel packages (LP: #2018128,", " #2098735).", " - Change package maintainer to Ubuntu Kernel Team.", " - Fix linux-base-sgx lintian warnings and add overrides.", "" ], "package": "linux-base", "version": "4.15ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1877088, 1929255, 1928700, 1867820, 1881338, 1932582, 2018128, 2098735 ], "author": "Juerg Haefliger ", "date": "Mon, 09 Feb 2026 11:34:35 +0100" }, { "cves": [], "log": [ "", " * linux-run-hooks(1): Fix description of the first argument", " * linux-run-hooks: Use compatible hook dir names for headers packages", " (Closes: #1121366)", " * Add Chinese debconf template translations (Yangfl) (Closes: #1124409)", "" ], "package": "linux-base", "version": "4.15", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Ben Hutchings ", "date": "Thu, 08 Jan 2026 19:41:14 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "locales", "from_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu4", "version": "2.42-2ubuntu4" }, "to_version": { "source_package_name": "glibc", "source_package_version": "2.42-2ubuntu5", "version": "2.42-2ubuntu5" }, "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15281", "url": "https://ubuntu.com/security/CVE-2025-15281", "cve_description": "Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.", "cve_priority": "medium", "cve_public_date": "2026-01-20 14:16:00 UTC" }, { "cve": "CVE-2026-0861", "url": "https://ubuntu.com/security/CVE-2026-0861", "cve_description": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.", "cve_priority": "medium", "cve_public_date": "2026-01-14 21:15:00 UTC" }, { "cve": "CVE-2026-0915", "url": "https://ubuntu.com/security/CVE-2026-0915", "cve_description": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.", "cve_priority": "medium", "cve_public_date": "2026-01-15 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: use-after-free in wordexp_t fields", " - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields", " with WRDE_REUSE", " - CVE-2025-15281", " * SECURITY UPDATE: integer overflow in memalign", " - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment", " overflow check", " - CVE-2026-0861", " * SECURITY UPDATE: memory leak in NSS DNS", " - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for", " getnetbyaddr", " - CVE-2026-0915", "" ], "package": "glibc", "version": "2.42-2ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Fri, 30 Jan 2026 14:27:46 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "login", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "1:4.16.0-2+really2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "1:4.16.0-2+really2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "login.defs", "from_version": { "source_package_name": "shadow", "source_package_version": "1:4.17.4-2ubuntu2", "version": "1:4.17.4-2ubuntu2" }, "to_version": { "source_package_name": "shadow", "source_package_version": "1:4.17.4-2ubuntu3", "version": "1:4.17.4-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "shadow", "version": "1:4.17.4-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:45:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "manpages", "from_version": { "source_package_name": "manpages", "source_package_version": "6.16-1build1", "version": "6.16-1build1" }, "to_version": { "source_package_name": "manpages", "source_package_version": "6.17-1", "version": "6.17-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version 6.17", " - Refresh patches", " - Add 0BSD to known licenses", " * Update Standards-Version to 4.7.3", " * Replace FSF postal address with their website", " * Update lintian overrides", " * Fix lintian warnings", " - missing-license-paragraph-in-dep5-copyright", " - space-in-std-shortname-in-dep5-copyright", " * Update d/copyright", "" ], "package": "manpages", "version": "6.17-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Dr. Tobias Quathamer ", "date": "Wed, 11 Feb 2026 22:31:51 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "mdadm", "from_version": { "source_package_name": "mdadm", "source_package_version": "4.4-11ubuntu2", "version": "4.4-11ubuntu2" }, "to_version": { "source_package_name": "mdadm", "source_package_version": "4.4-11ubuntu3", "version": "4.4-11ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "mdadm", "version": "4.4-11ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:27:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "nano", "from_version": { "source_package_name": "nano", "source_package_version": "8.7-1", "version": "8.7-1" }, "to_version": { "source_package_name": "nano", "source_package_version": "8.7.1-1", "version": "8.7.1-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * The \"Yellow Line\" release.", " * New upstream release.", " * Drop redundant Priority field for source package.", "" ], "package": "nano", "version": "8.7.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Jordi Mallach ", "date": "Sun, 08 Feb 2026 23:29:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "numactl", "from_version": { "source_package_name": "numactl", "source_package_version": "2.0.19-1", "version": "2.0.19-1" }, "to_version": { "source_package_name": "numactl", "source_package_version": "2.0.19-1build1", "version": "2.0.19-1build1" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "numactl", "version": "2.0.19-1build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:31:08 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "open-iscsi", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu1", "version": "2.1.11-3ubuntu1" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu2", "version": "2.1.11-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2139084 ], "changes": [ { "cves": [], "log": [ "", " * Resize cloud image used for testing to avoid out-of-space errors", " (LP: #2139084):", " - d/t/test-open-iscsi.py: increase the size of the downloaded image", " - d/t/control: add cloud-guest-utils to dependencies due to", " growpart", "" ], "package": "open-iscsi", "version": "2.1.11-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139084 ], "author": "Andreas Hasenack ", "date": "Wed, 28 Jan 2026 10:50:31 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "overlayroot", "from_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.50", "version": "0.50" }, "to_version": { "source_package_name": "cloud-initramfs-tools", "source_package_version": "0.51", "version": "0.51" }, "cves": [], "launchpad_bugs_fixed": [ 2125790, 2125790 ], "changes": [ { "cves": [], "log": [ "", " * Add autopkgtest to test copymods with dracut", " * overlayroot: support dracut overlayfs as alternative (LP: #2125790)", " * rooturl: support dracut livenet as alternative (LP: #2125790)", "" ], "package": "cloud-initramfs-tools", "version": "0.51", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2125790, 2125790 ], "author": "Benjamin Drung ", "date": "Tue, 10 Feb 2026 16:23:59 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "passwd", "from_version": { "source_package_name": "shadow", "source_package_version": "1:4.17.4-2ubuntu2", "version": "1:4.17.4-2ubuntu2" }, "to_version": { "source_package_name": "shadow", "source_package_version": "1:4.17.4-2ubuntu3", "version": "1:4.17.4-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "shadow", "version": "1:4.17.4-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:45:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "pci.ids", "from_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2026.01.31-1", "version": "0.0~2026.01.31-1" }, "to_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2026.02.12-1", "version": "0.0~2026.02.12-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "pci.ids", "version": "0.0~2026.02.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Thu, 12 Feb 2026 23:14:59 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "polkitd", "from_version": { "source_package_name": "policykit-1", "source_package_version": "127-1", "version": "127-1" }, "to_version": { "source_package_name": "policykit-1", "source_package_version": "127-2", "version": "127-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Andrew Bower ]", " * Fix #1125142 for systems without systemd-sysv installed", "", " [ Luca Boccassi ]", " * Drop priority from d/control, now defaults to optional", " * Bump Standards-version to 4.7.3", " * Set the reboot-required flag when upgrading from << 127 (Closes:", " #1125141)", "" ], "package": "policykit-1", "version": "127-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Luca Boccassi ", "date": "Mon, 09 Feb 2026 14:37:46 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "psmisc", "from_version": { "source_package_name": "psmisc", "source_package_version": "23.7-2ubuntu1", "version": "23.7-2ubuntu1" }, "to_version": { "source_package_name": "psmisc", "source_package_version": "23.7-2ubuntu2", "version": "23.7-2ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "psmisc", "version": "23.7-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:37:01 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.7", "version": "1:26.04.7" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.8", "version": "1:26.04.8" }, "cves": [], "launchpad_bugs_fixed": [ 2120280, 2130699 ], "changes": [ { "cves": [], "log": [ "", " * DistUpgrade:", " - update links in release announcements (LP: #2120280)", " - improve lang. in release announcements (LP: #2130699)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2120280, 2130699 ], "author": "Robert Kratky ", "date": "Wed, 11 Feb 2026 15:46:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-json-pointer", "from_version": { "source_package_name": "python-json-pointer", "source_package_version": "2.4-3build1", "version": "2.4-3build1" }, "to_version": { "source_package_name": "python-json-pointer", "source_package_version": "2.4-4", "version": "2.4-4" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "python-json-pointer", "version": "2.4-3build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Sat, 06 Dec 2025 11:53:29 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "python3-jsonpatch", "from_version": { "source_package_name": "python-json-patch", "source_package_version": "1.32-5build1", "version": "1.32-5build1" }, "to_version": { "source_package_name": "python-json-patch", "source_package_version": "1.32-6", "version": "1.32-6" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "python-json-patch", "version": "1.32-5build1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Sat, 06 Dec 2025 11:53:24 +0100" } ], "notes": null, "is_version_downgrade": true }, { "name": "python3-update-manager", "from_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.1", "version": "1:26.04.1" }, "to_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.2", "version": "1:26.04.2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove software-properties-gtk from Recommends", " - It is being dropped for 26.04 (LP: 2140527)", "" ], "package": "update-manager", "version": "1:26.04.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Charles ", "date": "Mon, 09 Feb 2026 09:07:08 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.11-1", "version": "3.13.11-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Python 3.13.12.", " - Ensures that Element & Attr instances have the ownerDocument", " attribute. Closes: #1122875", " - Reject control characters in wsgiref.headers.Headers. Closes: #1126740,", " CVE-2026-0865.", " - email: verify headers are sound in BytesGenerator. Closes: #1126745,", " CVE-2026-1299.", " - Reject control characters in http cookies. Closes: #1126762,", " CVE-2026-0672.", " - Reject control characters in data: URL mediatype. Closes: #1126780,", " CVE-2025-15282.", " - email: Preserve parens when folding comments. Closes: #1126787,", " CVE-2025-11468.", " * Refresh patches.", " * Drop m68k patch, merged upstream.", " * Drop -Os from CFLAGS for sh4. Closes: #1122045", " * Patch: Handle missing _pyrepl in _sitebuiltins under python3.13-minimal.", "" ], "package": "python3.13", "version": "3.13.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 04 Feb 2026 11:06:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-gdbm", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.11-1", "version": "3.13.11-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Python 3.13.12.", " - Ensures that Element & Attr instances have the ownerDocument", " attribute. Closes: #1122875", " - Reject control characters in wsgiref.headers.Headers. Closes: #1126740,", " CVE-2026-0865.", " - email: verify headers are sound in BytesGenerator. Closes: #1126745,", " CVE-2026-1299.", " - Reject control characters in http cookies. Closes: #1126762,", " CVE-2026-0672.", " - Reject control characters in data: URL mediatype. Closes: #1126780,", " CVE-2025-15282.", " - email: Preserve parens when folding comments. Closes: #1126787,", " CVE-2025-11468.", " * Refresh patches.", " * Drop m68k patch, merged upstream.", " * Drop -Os from CFLAGS for sh4. Closes: #1122045", " * Patch: Handle missing _pyrepl in _sitebuiltins under python3.13-minimal.", "" ], "package": "python3.13", "version": "3.13.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 04 Feb 2026 11:06:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.11-1", "version": "3.13.11-1" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.12-1", "version": "3.13.12-1" }, "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-1299", "url": "https://ubuntu.com/security/CVE-2026-1299", "cve_description": "The email module, specifically the \"BytesGenerator\" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using \"LiteralHeader\" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in \"BytesGenerator\".", "cve_priority": "medium", "cve_public_date": "2026-01-23 17:16:00 UTC" }, { "cve": "CVE-2026-0672", "url": "https://ubuntu.com/security/CVE-2026-0672", "cve_description": "When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15282", "url": "https://ubuntu.com/security/CVE-2025-15282", "cve_description": "User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-11468", "url": "https://ubuntu.com/security/CVE-2025-11468", "cve_description": "When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Python 3.13.12.", " - Ensures that Element & Attr instances have the ownerDocument", " attribute. Closes: #1122875", " - Reject control characters in wsgiref.headers.Headers. Closes: #1126740,", " CVE-2026-0865.", " - email: verify headers are sound in BytesGenerator. Closes: #1126745,", " CVE-2026-1299.", " - Reject control characters in http cookies. Closes: #1126762,", " CVE-2026-0672.", " - Reject control characters in data: URL mediatype. Closes: #1126780,", " CVE-2025-15282.", " - email: Preserve parens when folding comments. Closes: #1126787,", " CVE-2025-11468.", " * Refresh patches.", " * Drop m68k patch, merged upstream.", " * Drop -Os from CFLAGS for sh4. Closes: #1122045", " * Patch: Handle missing _pyrepl in _sitebuiltins under python3.13-minimal.", "" ], "package": "python3.13", "version": "3.13.12-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 04 Feb 2026 11:06:39 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "rsyslog", "from_version": { "source_package_name": "rsyslog", "source_package_version": "8.2512.0-1ubuntu2", "version": "8.2512.0-1ubuntu2" }, "to_version": { "source_package_name": "rsyslog", "source_package_version": "8.2512.0-1ubuntu3", "version": "8.2512.0-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2139209 ], "changes": [ { "cves": [], "log": [ "", " * d/rsyslog.install: usr-merge dmesg.service (LP: #2139209)", "" ], "package": "rsyslog", "version": "8.2512.0-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139209 ], "author": "Simon Poirier ", "date": "Fri, 23 Jan 2026 15:34:00 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "rust-coreutils", "from_version": { "source_package_name": "rust-coreutils", "source_package_version": "0.5.0-0ubuntu2", "version": "0.5.0-0ubuntu2" }, "to_version": { "source_package_name": "rust-coreutils", "source_package_version": "0.6.0-0ubuntu1", "version": "0.6.0-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2139697, 2138315, 2138217, 2134578, 2133156, 2132941, 2132245, 2132150, 2130859, 2130843, 2130396, 2127851, 2125943, 2125504, 2122166, 2117771 ], "changes": [ { "cves": [], "log": [ "", " * New usptream version (LP: #2139697)", " * Fixes:", " - comm does not work as expected with process substitution (LP: #2138315)", " - git: FTBFS in Resolute (LP: #2138217)", " - tee with multiple --append fails in rust corutils (LP: #2134578)", " - echo 1 | sort | head -n0: sort: write failed: 'standard output':", " Broken pipe (LP: #2133156)", " - env: Rust unwrap with UTF-8 symbols in environment variables", " (LP: #2132941)", " - \"du\" is double-counting hard links when multiple arguments specified", " (LP: #2132245)", " - dd: O_DIRECT partial block writes fail (LP: #2132150)", " - date does not support localized output (LP: #2130859)", " - SSH sessions blocked on unavailable automounts by default in Ubuntu 25.10", " (LP: #2130843)", " - rust-coreutils 'shred' refuses to write to a device (LP: #2130396)", " - rust-coreutils stats handling breaks wireguard's wg-quick (LP: #2127851)", " - rust-coreutils:dd: Broken pipe (LP: #2125943)", " - /usr/bin/sort: -k option does not behave as GNU's sort (LP: #2125504)", " - uutils wc crashed with SIGABRT on logout (LP: #2122166)", " - who, pinky are empty - need to talk to logind (LP: #2117771)", " * Drop applied patches:", " - use-mem-zeroed.diff: The timespec C-binding struct has been replaced", " by the safe abstraction nix::sys::time::TimeSpec. Padding should now", " be handled internally for 32-bit architectures.", " * Refresh patches:", " - Tweak-release-build-profile.patch", " - build-stty.patch", " - dd-ensure-full-writes.patch", " - fix-prefix.diff", " - glibc-2.42.patch", " - require-utilities-to-be-invoked-using-matching-path.patch", " - use-l10n-translations-in-makefile.patch", " - workspace-exclude.patch", " * Add patch:", " - prevent-stty-termios2-on-ppc64el.patch: The termios2 header is not", " always available or exposed on ppc64el systems. Use the standard termios", " interface instead to avoid build failures on such systems.", " * Skip failing tests:", " (s390x)", " - test_env::test_simulation_of_terminal_for_stdout_only", " - test_nohup::test_nohup_stderr_to_stdout", " - test_nohup::test_nohup_with_pseudo_terminal_emulation_on_stdin_stdout_stderr_get_replaced", " - test_touch::test_touch_changes_time_of_file_in_stdout", " (amd64v3)", " - test_dd::test_stdin_stdout_skip_w_multiplier", " * Re-enable previously failing tests:", " - test_chown::test_chown_only_group_id_nonexistent_group", " - test_chown::test_chown_only_user_id_nonexistent_user", " - test_expr::test_long_input", " - test_factor::test_parallel", " - test_install::test_install_and_strip", " - test_install::test_install_and_strip_with_program", " - test_ls::test_device_number", " - test_ls::test_localized_possible_values", " - test_od::test_od_options_after_filename", " - test_od::test_suppress_duplicates", " - test_sort::", " + test_argument_suggestion", " + test_clap_localization_help_message", " + test_clap_localization_invalid_value", " + test_clap_localization_unknown_argument", " + test_error_colors_disabled", " + test_error_colors_enabled", " + test_french_translations", " + test_help_colors_disabled", " + test_help_colors_enabled", " - test_stat::", " + test_mount_point_basic", " + test_mount_point_combined_with_other_specifiers", " + test_multi_files", " + test_normal_format", " + test_printf", " + test_symlinks", " + test_terse_fs_format", " - test_error_messages_french_translation", " - test_french_colored_error_messages", " - test_help_messages_french_translation", " - util_invalid_name_invalid_command", "" ], "package": "rust-coreutils", "version": "0.6.0-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139697, 2138315, 2138217, 2134578, 2133156, 2132941, 2132245, 2132150, 2130859, 2130843, 2130396, 2127851, 2125943, 2125504, 2122166, 2117771 ], "author": "Simon Johnsson ", "date": "Tue, 03 Feb 2026 17:53:04 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "screen", "from_version": { "source_package_name": "screen", "source_package_version": "4.9.1-3ubuntu1", "version": "4.9.1-3ubuntu1" }, "to_version": { "source_package_name": "screen", "source_package_version": "4.9.1-3ubuntu2", "version": "4.9.1-3ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "screen", "version": "4.9.1-3ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 09 Feb 2026 23:45:34 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "sudo", "from_version": { "source_package_name": "sudo", "source_package_version": "1.9.17p2-1ubuntu1", "version": "1.9.17p2-1ubuntu1" }, "to_version": { "source_package_name": "sudo", "source_package_version": "1.9.17p2-1ubuntu2", "version": "1.9.17p2-1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2113927 ], "changes": [ { "cves": [], "log": [ "", " * Remove debian/etc/ and add sudo-common as dependency (LP: #2113927)", "" ], "package": "sudo", "version": "1.9.17p2-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2113927 ], "author": "Simon Johnsson ", "date": "Fri, 17 Oct 2025 16:18:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "sudo-rs", "from_version": { "source_package_name": "rust-sudo-rs", "source_package_version": "0.2.10-1ubuntu1", "version": "0.2.10-1ubuntu1" }, "to_version": { "source_package_name": "rust-sudo-rs", "source_package_version": "0.2.10-1ubuntu2", "version": "0.2.10-1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2113927, 2129168 ], "changes": [ { "cves": [], "log": [ "", " * Replace dependency sudo with sudo-common (LP: #2113927)", " * Add Apport package hook (LP: #2129168)", "" ], "package": "rust-sudo-rs", "version": "0.2.10-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2113927, 2129168 ], "author": "Simon Johnsson ", "date": "Fri, 17 Oct 2025 17:15:13 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "tnftp", "from_version": { "source_package_name": "tnftp", "source_package_version": "20230507-2build4", "version": "20230507-2build4" }, "to_version": { "source_package_name": "tnftp", "source_package_version": "20260211-1", "version": "20260211-1" }, "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "tnftp", "version": "20230507-2build4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 01 Dec 2025 15:26:42 +0100" }, { "cves": [], "log": [ "", " * No change rebuild against libssl3t64.", "" ], "package": "tnftp", "version": "20230507-2build3", "urgency": "high", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 08 Apr 2024 16:50:55 +0200" }, { "cves": [ { "cve": "CVE-2024-3094", "url": "https://ubuntu.com/security/CVE-2024-3094", "cve_description": "Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.", "cve_priority": "critical", "cve_public_date": "2024-03-29 17:15:00 UTC" } ], "log": [ "", " * No-change rebuild for CVE-2024-3094", "" ], "package": "tnftp", "version": "20230507-2build2", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Sun, 31 Mar 2024 00:15:20 +0000" }, { "cves": [], "log": [ "", " * No-change rebuild against libssl3t64", "" ], "package": "tnftp", "version": "20230507-2build1", "urgency": "medium", "distributions": "noble", "launchpad_bugs_fixed": [], "author": "Steve Langasek ", "date": "Tue, 05 Mar 2024 02:06:05 +0000" } ], "notes": null, "is_version_downgrade": true }, { "name": "ubuntu-kernel-accessories", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.564", "version": "1.564" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added software-properties-common to desktop, desktop-minimal,", " desktop-raspi", " * Removed software-properties-gtk from desktop, desktop-minimal,", " desktop-raspi", "" ], "package": "ubuntu-meta", "version": "1.565", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 09 Feb 2026 21:23:57 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-minimal", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.564", "version": "1.564" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added software-properties-common to desktop, desktop-minimal,", " desktop-raspi", " * Removed software-properties-gtk from desktop, desktop-minimal,", " desktop-raspi", "" ], "package": "ubuntu-meta", "version": "1.565", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 09 Feb 2026 21:23:57 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.7", "version": "1:26.04.7" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.8", "version": "1:26.04.8" }, "cves": [], "launchpad_bugs_fixed": [ 2120280, 2130699 ], "changes": [ { "cves": [], "log": [ "", " * DistUpgrade:", " - update links in release announcements (LP: #2120280)", " - improve lang. in release announcements (LP: #2130699)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2120280, 2130699 ], "author": "Robert Kratky ", "date": "Wed, 11 Feb 2026 15:46:27 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-server", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.564", "version": "1.564" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added software-properties-common to desktop, desktop-minimal,", " desktop-raspi", " * Removed software-properties-gtk from desktop, desktop-minimal,", " desktop-raspi", "" ], "package": "ubuntu-meta", "version": "1.565", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 09 Feb 2026 21:23:57 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-standard", "from_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.564", "version": "1.564" }, "to_version": { "source_package_name": "ubuntu-meta", "source_package_version": "1.565", "version": "1.565" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Refreshed dependencies", " * Added software-properties-common to desktop, desktop-minimal,", " desktop-raspi", " * Removed software-properties-gtk from desktop, desktop-minimal,", " desktop-raspi", "" ], "package": "ubuntu-meta", "version": "1.565", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 09 Feb 2026 21:23:57 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "update-manager-core", "from_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.1", "version": "1:26.04.1" }, "to_version": { "source_package_name": "update-manager", "source_package_version": "1:26.04.2", "version": "1:26.04.2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove software-properties-gtk from Recommends", " - It is being dropped for 26.04 (LP: 2140527)", "" ], "package": "update-manager", "version": "1:26.04.2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Charles ", "date": "Mon, 09 Feb 2026 09:07:08 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "update-notifier-common", "from_version": { "source_package_name": "update-notifier", "source_package_version": "3.203", "version": "3.203" }, "to_version": { "source_package_name": "update-notifier", "source_package_version": "3.205", "version": "3.205" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Fix pyflakes and pycodestyle warnings", "" ], "package": "update-notifier", "version": "3.205", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Tue, 10 Feb 2026 11:25:37 +0100" }, { "cves": [], "log": [ "", " [ Charles ]", " * d/control: Drop recommendation of software-properties-gtk", " * d/control: Depend on ubuntu-advantage-desktop-daemon", "", " [ Julian Andres Klode ]", " * apckage-data-downloader: Fix resource leak warnings from Python", " * test_package-data-downloader.py: Backdate instead of sleep", "" ], "package": "update-notifier", "version": "3.204", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Julian Andres Klode ", "date": "Mon, 09 Feb 2026 21:19:33 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux-extra", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "uuid-runtime", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu2", "version": "2.41.2-4ubuntu2" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.41.2-4ubuntu3", "version": "2.41.2-4ubuntu3" }, "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-14104", "url": "https://ubuntu.com/security/CVE-2025-14104", "cve_description": "A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overread with 256-byte usernames", " - debian/patches/CVE-2025-14104-1.patch: add length check in", " login-utils/setpwnam.c.", " - debian/patches/CVE-2025-14104-2.patch: update buflen in", " login-utils/setpwnam.c.", " - CVE-2025-14104", "" ], "package": "util-linux", "version": "2.41.2-4ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 09 Jan 2026 10:49:15 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "wget", "from_version": { "source_package_name": "wget", "source_package_version": "1.25.0-2ubuntu3", "version": "1.25.0-2ubuntu3" }, "to_version": { "source_package_name": "wget", "source_package_version": "1.25.0-2ubuntu4", "version": "1.25.0-2ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "wget", "version": "1.25.0-2ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:52:17 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "zlib1g:s390x", "from_version": { "source_package_name": "zlib", "source_package_version": "1:1.3.dfsg+really1.3.1-1ubuntu2", "version": "1:1.3.dfsg+really1.3.1-1ubuntu2" }, "to_version": { "source_package_name": "zlib", "source_package_version": "1:1.3.dfsg+really1.3.1-1ubuntu3", "version": "1:1.3.dfsg+really1.3.1-1ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to drop sframe v2 section.", "" ], "package": "zlib", "version": "1:1.3.dfsg+really1.3.1-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 23 Jan 2026 12:24:48 +0100" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "gcc-16-base:s390x", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260210-0ubuntu1", "version": "16-20260210-0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260210).", " * Fix build when building without common libraries.", "" ], "package": "gcc-16", "version": "16-20260210-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Tue, 10 Feb 2026 01:42:25 +0100" }, { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260208-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 13:09:34 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260208).", "" ], "package": "gcc-16", "version": "16-20260208-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 08 Feb 2026 11:23:36 +0100" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "sudo-common", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "sudo-common", "source_package_version": "1.2ubuntu", "version": "1.2ubuntu" }, "cves": [], "launchpad_bugs_fixed": [ 2139333, 2139292, 2113927 ], "changes": [ { "cves": [], "log": [ "", " * Add autopkgtests for configuration files (LP: #2139333)", "" ], "package": "sudo-common", "version": "1.2ubuntu", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139333 ], "author": "Simon Johnsson ", "date": "Thu, 29 Jan 2026 10:41:22 +0100" }, { "cves": [], "log": [ "", " * Fix debian/etc installation to debian/etc/* (LP: #2139292)", "" ], "package": "sudo-common", "version": "1.1ubuntu", "urgency": "high", "distributions": "resolute", "launchpad_bugs_fixed": [ 2139292 ], "author": "Simon Johnsson ", "date": "Wed, 28 Jan 2026 15:48:28 +0100" }, { "cves": [], "log": [ "", " * Initial release (LP: #2113927)", "" ], "package": "sudo-common", "version": "1.0ubuntu", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2113927 ], "author": "Simon Johnsson ", "date": "Fri, 17 Oct 2025 11:33:17 +0200" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.04 resolute image from daily image serial 20260209 to 20260215", "from_series": "resolute", "to_series": "resolute", "from_serial": "20260209", "to_serial": "20260215", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }