{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-7.0.0-13-generic", "linux-main-modules-zfs-7.0.0-13-generic", "linux-modules-7.0.0-13-generic" ], "removed": [ "linux-image-7.0.0-10-generic", "linux-modules-7.0.0-10-generic" ], "diff": [ "amd64-microcode", "apparmor", "apport", "apport-core-dump-handler", "apt", "ca-certificates", "coreutils", "coreutils-from-uutils", "dpkg", "fuse3", "gcc-16-base", "intel-microcode", "iproute2", "libapparmor1", "libapt-pkg7.0", "libatomic1", "libcap2", "libcap2-bin", "libcbor0.10", "libffi8", "libfuse3-4", "libgcc-s1", "liblzma5", "libnetplan1", "libpam-systemd", "libpng16-16t64", "libpython3-stdlib", "libpython3.14-minimal", "libpython3.14-stdlib", "libssl3t64", "libstdc++6", "libsystemd-shared", "libsystemd0", "libtirpc-common", "libtirpc3t64", "libudev1", "linux-base", "linux-image-virtual", "netplan-generator", "netplan.io", "openssl", "openssl-provider-legacy", "pollinate", "python3", "python3-apport", "python3-cryptography", "python3-distupgrade", "python3-gi", "python3-jwt", "python3-minimal", "python3-netplan", "python3-problem-report", "python3-rpds-py", "python3.14", "python3.14-minimal", "systemd", "systemd-resolved", "systemd-sysv", "tzdata", "ubuntu-release-upgrader-core", "udev", "unattended-upgrades", "xxd", "xz-utils" ] } }, "diff": { "deb": [ { "name": "amd64-microcode", "from_version": { "source_package_name": "amd64-microcode", "source_package_version": "3.20251202.1ubuntu1", "version": "3.20251202.1ubuntu1" }, "to_version": { "source_package_name": "amd64-microcode", "source_package_version": "3.20251202.1ubuntu2", "version": "3.20251202.1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Recommend dracut over initramfs-tools (LP: #2142775)", "" ], "package": "amd64-microcode", "version": "3.20251202.1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Thu, 09 Apr 2026 18:59:22 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~beta1-0ubuntu5", "version": "5.0.0~beta1-0ubuntu5" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~beta1-0ubuntu6", "version": "5.0.0~beta1-0ubuntu6" }, "cves": [], "launchpad_bugs_fixed": [ 2143810, 2145628, 2139339, 2144896, 2146980, 2147031 ], "changes": [ { "cves": [], "log": [ "", " * d/p/u/openvpn_networkmanager_rundir.patch: fix the previous attempt to", " patch the openvpn profile (LP: #2143810)", " * Add patch to fix disconnected paths in unix-chkpwd with pkexec", " (LP: #2145628):", " - d/p/u/unix-chkpwd-add-disconnected-run-paths.patch", " * Add patch to fix list of allowed ghostscript extensions (LP: #2139339):", " - d/p/u/profiles-add-extensions-to-allowed-ghostscript.patch", " * Add patch to expand allowed ghostscript locations (LP: #2144896):", " - d/p/u/profiles-expand-the-allowed-directories-for-ghostscript.patch", " * Add patch for capabilities needed by OpenVPN DCO (LP: #2146980):", " - d/p/u/openvpn-fix-dco.patch", " * Add patch for transparent huge page support detection (LP: #2147031):", " - d/p/u/profiles-add-sys-kernel-mm-transparent_hugepage-enable.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143810, 2145628, 2139339, 2144896, 2146980, 2147031 ], "author": "Ryan Lee ", "date": "Tue, 31 Mar 2026 10:52:03 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.34.0-0ubuntu2", "version": "2.34.0-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2148184, 2147545, 2145810, 2139266 ], "changes": [ { "cves": [], "log": [ "", " * fix Default-to-Ubuntu-crash-DB.patch to default to ubuntu again", " (LP: #2148184)", "" ], "package": "apport", "version": "2.34.0-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148184 ], "author": "Benjamin Drung ", "date": "Mon, 13 Apr 2026 13:51:00 +0200" }, { "cves": [], "log": [ "", " * New upstream release (LP: #2147545)", " - fix broken `DEVLINKS` property after anonymizing udevdb (LP: #2145810)", " * Drop patches applied upstream and refresh remaining patches", " * test: check Python code in debian/package-hooks if present", " * Add Pre-Depends to apport-core-dump-handler", " * Update debian/watch to version 5", " * Bump Standards-Version to 4.7.4", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * autopkgtest:", " - run system UI tests separately", " - split tests that need Internet access into system-tests-internet", " * apport: depend on python3-systemd when using systemd-coredump (LP: #2139266)", "" ], "package": "apport", "version": "2.34.0-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147545, 2145810, 2139266 ], "author": "Benjamin Drung ", "date": "Fri, 10 Apr 2026 00:46:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "apport-core-dump-handler", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.34.0-0ubuntu2", "version": "2.34.0-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2148184, 2147545, 2145810, 2139266 ], "changes": [ { "cves": [], "log": [ "", " * fix Default-to-Ubuntu-crash-DB.patch to default to ubuntu again", " (LP: #2148184)", "" ], "package": "apport", "version": "2.34.0-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148184 ], "author": "Benjamin Drung ", "date": "Mon, 13 Apr 2026 13:51:00 +0200" }, { "cves": [], "log": [ "", " * New upstream release (LP: #2147545)", " - fix broken `DEVLINKS` property after anonymizing udevdb (LP: #2145810)", " * Drop patches applied upstream and refresh remaining patches", " * test: check Python code in debian/package-hooks if present", " * Add Pre-Depends to apport-core-dump-handler", " * Update debian/watch to version 5", " * Bump Standards-Version to 4.7.4", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * autopkgtest:", " - run system UI tests separately", " - split tests that need Internet access into system-tests-internet", " * apport: depend on python3-systemd when using systemd-coredump (LP: #2139266)", "" ], "package": "apport", "version": "2.34.0-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147545, 2145810, 2139266 ], "author": "Benjamin Drung ", "date": "Fri, 10 Apr 2026 00:46:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "apt", "from_version": { "source_package_name": "apt", "source_package_version": "3.1.16", "version": "3.1.16" }, "to_version": { "source_package_name": "apt", "source_package_version": "3.2.0", "version": "3.2.0" }, "cves": [], "launchpad_bugs_fixed": [ 2147412 ], "changes": [ { "cves": [], "log": [ "", " [ Julian Andres Klode ]", " * Release 3.2.0 stable release (LP: #2147412)", " * Copyright changes", " * Document inhibitors (see Bug#112933)", "", " [ Frans Spiesschaert ]", " * Dutch program translation update (Closes: #1120336)", " * Dutch manpages translation update (Closes: #1120338)", "", " [ Américo Monteiro ]", " * Portuguese manpages translation update (Closes: #1119827)", " * Portuguese program translation update (Closes: #1127086)", "" ], "package": "apt", "version": "3.2.0", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2147412 ], "author": "Julian Andres Klode ", "date": "Tue, 07 Apr 2026 11:02:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "ca-certificates", "from_version": { "source_package_name": "ca-certificates", "source_package_version": "20250419build1", "version": "20250419build1" }, "to_version": { "source_package_name": "ca-certificates", "source_package_version": "20260223", "version": "20260223" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Update Mozilla certificate authority bundle to version 2.82", " The following certificate authorities were added (+):", " + TrustAsia TLS ECC Root CA", " + TrustAsia TLS RSA Root CA", " + SwissSign RSA TLS Root CA 2022 - 1", " + OISTE Server Root ECC G1", " + OISTE Server Root RSA G1", " The following certificate authorities were removed (-):", " - GlobalSign Root CA", " - Entrust.net Premium 2048 Secure Server CA", " - Baltimore CyberTrust Root (closes: #1121936)", " - Comodo AAA Services root", " - XRamp Global CA Root", " - Go Daddy Class 2 CA", " - Starfield Class 2 CA", " - CommScope Public Trust ECC Root-01", " - CommScope Public Trust ECC Root-02", " - CommScope Public Trust RSA Root-01", " - CommScope Public Trust RSA Root-02", " * Use dh_usrlocal to create /usr/local/share/ca-certificates", " (closes: #1127100)", "" ], "package": "ca-certificates", "version": "20260223", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Julien Cristau ", "date": "Mon, 23 Feb 2026 17:46:55 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "coreutils", "from_version": { "source_package_name": "coreutils-from", "source_package_version": "0.0.0~ubuntu24", "version": "9.5-1ubuntu2+0.0.0~ubuntu24" }, "to_version": { "source_package_name": "coreutils-from", "source_package_version": "0.0.0~ubuntu25", "version": "9.5-1ubuntu2+0.0.0~ubuntu25" }, "cves": [], "launchpad_bugs_fixed": [ 2146312, 2127231, 2137443 ], "changes": [ { "cves": [], "log": [ "", " * uutils:", " - Reinstate chown and chmod links (LP: #2146312).", " - Remove b3sum (LP: #2127231).", " * d/control: Add libdigest-sha3-perl << 1.05-1ubuntu3 to Break and", " replace to accommodate the bug fix for LP: #2137443.", " " ], "package": "coreutils-from", "version": "0.0.0~ubuntu25", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146312, 2127231, 2137443 ], "author": "Varun Varma ", "date": "Mon, 30 Mar 2026 12:50:24 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "coreutils-from-uutils", "from_version": { "source_package_name": "coreutils-from", "source_package_version": "0.0.0~ubuntu24", "version": "0.0.0~ubuntu24" }, "to_version": { "source_package_name": "coreutils-from", "source_package_version": "0.0.0~ubuntu25", "version": "0.0.0~ubuntu25" }, "cves": [], "launchpad_bugs_fixed": [ 2146312, 2127231, 2137443 ], "changes": [ { "cves": [], "log": [ "", " * uutils:", " - Reinstate chown and chmod links (LP: #2146312).", " - Remove b3sum (LP: #2127231).", " * d/control: Add libdigest-sha3-perl << 1.05-1ubuntu3 to Break and", " replace to accommodate the bug fix for LP: #2137443.", " " ], "package": "coreutils-from", "version": "0.0.0~ubuntu25", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146312, 2127231, 2137443 ], "author": "Varun Varma ", "date": "Mon, 30 Mar 2026 12:50:24 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "dpkg", "from_version": { "source_package_name": "dpkg", "source_package_version": "1.23.6ubuntu2", "version": "1.23.6ubuntu2" }, "to_version": { "source_package_name": "dpkg", "source_package_version": "1.23.7ubuntu1", "version": "1.23.7ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2070015 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Change native source version/format mismatch errors into warnings", " until the dust settles on Debian bug 737634 about override options.", " - Add DPKG_UNTRANSLATED_MESSAGES environment check so that higher-level", " tools can get untranslated dpkg terminal log messages while at the", " same time having translated debconf prompts.", " - Map unqualified package names of multiarch-same packages to the native", " arch instead of throwing an error, so that we don't break on upgrade", " when there are unqualified names stored in the dpkg trigger database.", " - Apply a workaround from mvo to consider ^rc packages as multiarch,", " during the dpkg consistency checks. (see LP: 1015567 and 1057367).", " - dpkg-gencontrol: Fix Package-Type override handling for ddeb support.", " - scripts/Dpkg/Vendor/Ubuntu.pm, scripts/dpkg-buildpackage.pl: set", " 'nocheck' in build options by default on Ubuntu/riscv64. Overridable", " in debian/rules with", " 'DEB_BUILD_OPTIONS := $(filter-out nocheck,$(DEB_BUILD_OPTIONS))'.", " - dpkg-dev: Depend on lto-disabled-list.", " - dpkg-buildflags: Read package source names from lto-disabled-list,", " to build without lto optimizations. When adding a source package to the", " list, please also file a launchpad issue and tag it with 'lto'.", " - scripts/Dpkg/Vendor/Ubuntu.pm: set 'noudeb' build profile by", " default. Override this by exporting DEB_BUILD_PROFILE='!noudeb' which", " will be stripped, and thus building with udebs.", " - build: Switch default dpkg-deb compression from xz to zstd.", " Keep compressing dpkg.deb with xz to help bootstrapping on non-Ubuntu", " systems.", " - set default zstd compression level to 19", " - scripts/Dpkg/Vendor/Debian.pm: Always include \"-fdebug-prefix-map\"", " to build flags. Map path to \"/usr/src/PKGNAME-PKGVER\" instead of", " \".\", honouring the DWARF standard which prohibits relative paths", " in DW_AT_comp_dir.", " - scripts/{mk/buildflags.mk,t.mk}: Add support for DEB_BUILD_DEBUGPATH.", " - man/dpkg-buildflags.pod: Document new behaviour of \"fdebugmap\" and", " new DEB_BUILD_DEBUGPATH variable.", " - Disable -fstack-clash-protection on armhf since it causes crashes", " - dpkg-buildflags: Add a new feature \"framepointer\" in the \"qa\" area.", " - Turn on the use of frame pointers by default on 64bit architectures.", " - Update _FORTIFY_SOURCE documentation.", " - Update Dpkg_BuildFlags test case.", " - Fix debian/rules duplicate invocations of dh_builddeb", " - lib/dpkg/compress.c: clean up override of the default zstd compression", " level", " - dpkg-buildflags: Explicitly turn off hardening flags when requested.", " - Export environment variables DEB_BUILD_OS_RELEASE_ID, DEB_HOST_ARCH,", " DEB_SOURCE, and DEB_VERSION when including buildflags.mk (LP: #2070015)", " - buildflags: document RUSTFLAGS", " - buildflags: Always set RUSTFLAGS", " - tests: avoid failing under DEB_VENDOR != Debian", " - dpkg-buildflags: enable ELF package note metadata", " - buildflags: set origin of env vars for ELF package metadata", " - Export ELF_PACKAGE_METADATA for a build. Picked up by GCC and clang.", " Passing -specs explicitly can be dropped in a follow-up upload.", " - dpkg-buildflags: set RUSTFLAGS to influence the command line flags cargo", " will pass to rustc, and set the flags to include framepointers when the", " framepointer feature of the qa area is enabled.", " - Disable framepointer on ppc64el.", " - Disable framepointer on s390x, leaving only -mbackchain.", " - Add a note about different behaviour of dpkg-buildflags with respect to", " LTO on Ubuntu.", " - dpkg-buildpackage: Construct ELF_PACKAGE_METADATA, and set in the", " environment if not already set. This setting is picked up by", " GCC and clang, passing a --package-metadata option the the linker.", " - Stop passing --specs for metadata information. It's too fragile", " and only works for GCC. Also introduces a lot of packaging delta.", " - Stop defaulting to -O3 on amd64.", " - dpkg-dev: Still prefer gnupg and gpgv over sq.", " Introduce architecture variants (thanks to mwhudson for the rebase)", " - scripts/dpkg-gencentrol.pl: fix operator precedence.", " - Copy across the architecture variant (LP #2128606)", " - Drop unused elf-package-metadata specs files", " - dpkg-buildflags: set --package-metadata directly in LDFLAGS, and still", " set ELF_PACKAGE_METADATA in the environment.", " - Include architecture variant in ELF package metadata (LP #2131806)", " - Set a derivative.ubuntu build profile by default.", "" ], "package": "dpkg", "version": "1.23.7ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2070015 ], "author": "Matthias Klose ", "date": "Tue, 31 Mar 2026 16:52:44 +0200" }, { "cves": [], "log": [ "", " [ Guillem Jover ]", " * dpkg-deb: Remove ancient code to handle buggy old .deb format variants.", " * Perl modules:", " - Dpkg::Source::Package::V1: Do not print source root on modified files", " list.", " - Dpkg::Source::Package::V1: Fix building from within the source tree.", "" ], "package": "dpkg", "version": "1.23.7", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Sat, 07 Mar 2026 00:41:13 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "fuse3", "from_version": { "source_package_name": "fuse3", "source_package_version": "3.18.1-1", "version": "3.18.1-1" }, "to_version": { "source_package_name": "fuse3", "source_package_version": "3.18.2-1", "version": "3.18.2-1" }, "cves": [ { "cve": "CVE-2026-33150", "url": "https://ubuntu.com/security/CVE-2026-33150", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" }, { "cve": "CVE-2026-33179", "url": "https://ubuntu.com/security/CVE-2026-33179", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-33150", "url": "https://ubuntu.com/security/CVE-2026-33150", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" }, { "cve": "CVE-2026-33179", "url": "https://ubuntu.com/security/CVE-2026-33179", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" } ], "log": [ "", " * New upstream release:", " - fixes CVE-2026-33150, use-after-free vulnerability in the io_uring", " subsystem,", " - fixes CVE-2026-33179, NULL pointer dereference and memory leak in", " fuse_uring_init_queue() .", "" ], "package": "fuse3", "version": "3.18.2-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 21 Mar 2026 08:16:43 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "gcc-16-base", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260322-1ubuntu1", "version": "16-20260322-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260322-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:31:44 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260322).", " - Fix PR target/123852 (SH), bootstrap on sh4.", " - ga68: add missing symbols to libga68/ga68.map. Closes: #1130580.", " * Update sh-bootstrap-compare patch (Adrian Glaubitz). Closes: #1130857.", " * For backports, require at least GCC 11 for the bootstrap.", "" ], "package": "gcc-16", "version": "16-20260322-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:29:00 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "intel-microcode", "from_version": { "source_package_name": "intel-microcode", "source_package_version": "3.20260210.1ubuntu1", "version": "3.20260210.1ubuntu1" }, "to_version": { "source_package_name": "intel-microcode", "source_package_version": "3.20260210.1ubuntu2", "version": "3.20260210.1ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2142775 ], "changes": [ { "cves": [], "log": [ "", " * Recommend dracut over initramfs-tools (LP: #2142775)", " * debian/tests/initramfs: drop Ubuntu location patch", "" ], "package": "intel-microcode", "version": "3.20260210.1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2142775 ], "author": "Benjamin Drung ", "date": "Thu, 09 Apr 2026 19:16:17 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "iproute2", "from_version": { "source_package_name": "iproute2", "source_package_version": "6.18.0-1ubuntu1", "version": "6.18.0-1ubuntu1" }, "to_version": { "source_package_name": "iproute2", "source_package_version": "6.19.0-1ubuntu1", "version": "6.19.0-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Rebased on top of debian/sid (6.19). Remaining changes:", " - Ubuntu FAN support", "" ], "package": "iproute2", "version": "6.19.0-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Stefan Bader ", "date": "Wed, 25 Mar 2026 15:26:24 +0100" }, { "cves": [], "log": [ "", " * Stop using dh-sequence-movetousr and manually move files in dh_install", " (Closes: #1122756)", " * Update upstream source from tag 'upstream/6.19.0'", " * Drop priority from d/control, now defaults to optional", " * Drop Rules-Requires-Root, now defaults to no", " * Bump Standards-version to 4.7.3", " * Install new dpll tool", "" ], "package": "iproute2", "version": "6.19.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Luca Boccassi ", "date": "Mon, 23 Feb 2026 00:01:28 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapparmor1", "from_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~beta1-0ubuntu5", "version": "5.0.0~beta1-0ubuntu5" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "5.0.0~beta1-0ubuntu6", "version": "5.0.0~beta1-0ubuntu6" }, "cves": [], "launchpad_bugs_fixed": [ 2143810, 2145628, 2139339, 2144896, 2146980, 2147031 ], "changes": [ { "cves": [], "log": [ "", " * d/p/u/openvpn_networkmanager_rundir.patch: fix the previous attempt to", " patch the openvpn profile (LP: #2143810)", " * Add patch to fix disconnected paths in unix-chkpwd with pkexec", " (LP: #2145628):", " - d/p/u/unix-chkpwd-add-disconnected-run-paths.patch", " * Add patch to fix list of allowed ghostscript extensions (LP: #2139339):", " - d/p/u/profiles-add-extensions-to-allowed-ghostscript.patch", " * Add patch to expand allowed ghostscript locations (LP: #2144896):", " - d/p/u/profiles-expand-the-allowed-directories-for-ghostscript.patch", " * Add patch for capabilities needed by OpenVPN DCO (LP: #2146980):", " - d/p/u/openvpn-fix-dco.patch", " * Add patch for transparent huge page support detection (LP: #2147031):", " - d/p/u/profiles-add-sys-kernel-mm-transparent_hugepage-enable.patch", "" ], "package": "apparmor", "version": "5.0.0~beta1-0ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143810, 2145628, 2139339, 2144896, 2146980, 2147031 ], "author": "Ryan Lee ", "date": "Tue, 31 Mar 2026 10:52:03 -0700" } ], "notes": null, "is_version_downgrade": false }, { "name": "libapt-pkg7.0", "from_version": { "source_package_name": "apt", "source_package_version": "3.1.16", "version": "3.1.16" }, "to_version": { "source_package_name": "apt", "source_package_version": "3.2.0", "version": "3.2.0" }, "cves": [], "launchpad_bugs_fixed": [ 2147412 ], "changes": [ { "cves": [], "log": [ "", " [ Julian Andres Klode ]", " * Release 3.2.0 stable release (LP: #2147412)", " * Copyright changes", " * Document inhibitors (see Bug#112933)", "", " [ Frans Spiesschaert ]", " * Dutch program translation update (Closes: #1120336)", " * Dutch manpages translation update (Closes: #1120338)", "", " [ Américo Monteiro ]", " * Portuguese manpages translation update (Closes: #1119827)", " * Portuguese program translation update (Closes: #1127086)", "" ], "package": "apt", "version": "3.2.0", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2147412 ], "author": "Julian Andres Klode ", "date": "Tue, 07 Apr 2026 11:02:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libatomic1", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260322-1ubuntu1", "version": "16-20260322-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260322-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:31:44 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260322).", " - Fix PR target/123852 (SH), bootstrap on sh4.", " - ga68: add missing symbols to libga68/ga68.map. Closes: #1130580.", " * Update sh-bootstrap-compare patch (Adrian Glaubitz). Closes: #1130857.", " * For backports, require at least GCC 11 for the bootstrap.", "" ], "package": "gcc-16", "version": "16-20260322-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:29:00 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcap2", "from_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-10ubuntu1", "version": "1:2.75-10ubuntu1" }, "to_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-10ubuntu2", "version": "1:2.75-10ubuntu2" }, "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "[Address a potential TOCTOU race condition in cap_set_file()]", "cve_priority": "medium", "cve_public_date": "2026-04-07" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "[Address a potential TOCTOU race condition in cap_set_file()]", "cve_priority": "medium", "cve_public_date": "2026-04-07" } ], "log": [ "", " * SECURITY UPDATE: potential TOCTOU race condition in cap_set_file()", " - debian/patches/CVE-2026-4878.patch: fix race in libcap/cap_file.c,", " progs/quicktest.sh.", " - CVE-2026-4878", "" ], "package": "libcap2", "version": "1:2.75-10ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 09 Apr 2026 11:02:30 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcap2-bin", "from_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-10ubuntu1", "version": "1:2.75-10ubuntu1" }, "to_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-10ubuntu2", "version": "1:2.75-10ubuntu2" }, "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "[Address a potential TOCTOU race condition in cap_set_file()]", "cve_priority": "medium", "cve_public_date": "2026-04-07" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "[Address a potential TOCTOU race condition in cap_set_file()]", "cve_priority": "medium", "cve_public_date": "2026-04-07" } ], "log": [ "", " * SECURITY UPDATE: potential TOCTOU race condition in cap_set_file()", " - debian/patches/CVE-2026-4878.patch: fix race in libcap/cap_file.c,", " progs/quicktest.sh.", " - CVE-2026-4878", "" ], "package": "libcap2", "version": "1:2.75-10ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 09 Apr 2026 11:02:30 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcbor0.10", "from_version": { "source_package_name": "libcbor", "source_package_version": "0.10.2-2ubuntu2", "version": "0.10.2-2ubuntu2" }, "to_version": { "source_package_name": "libcbor", "source_package_version": "0.10.2-2ubuntu3", "version": "0.10.2-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2146890 ], "changes": [ { "cves": [], "log": [ "", " * d/p/0001-Set-cmake_minimum_required-to-3.5.patch:", " - cherry pick build fix from Debian (lp: #2146890)", "" ], "package": "libcbor", "version": "0.10.2-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146890 ], "author": "Sebastien Bacher ", "date": "Tue, 07 Apr 2026 12:18:05 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libffi8", "from_version": { "source_package_name": "libffi", "source_package_version": "3.5.2-3", "version": "3.5.2-3" }, "to_version": { "source_package_name": "libffi", "source_package_version": "3.5.2-4", "version": "3.5.2-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump standards version.", "" ], "package": "libffi", "version": "3.5.2-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Mar 2026 09:26:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfuse3-4", "from_version": { "source_package_name": "fuse3", "source_package_version": "3.18.1-1", "version": "3.18.1-1" }, "to_version": { "source_package_name": "fuse3", "source_package_version": "3.18.2-1", "version": "3.18.2-1" }, "cves": [ { "cve": "CVE-2026-33150", "url": "https://ubuntu.com/security/CVE-2026-33150", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" }, { "cve": "CVE-2026-33179", "url": "https://ubuntu.com/security/CVE-2026-33179", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-33150", "url": "https://ubuntu.com/security/CVE-2026-33150", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a use-after-free vulnerability in the io_uring subsystem of libfuse allows a local attacker to crash FUSE filesystem processes and potentially execute arbitrary code. When io_uring thread creation fails due to resource exhaustion (e.g., cgroup pids.max), fuse_uring_start() frees the ring pool structure but stores the dangling pointer in the session state, leading to a use-after-free when the session shuts down. The trigger is reliable in containerized environments where cgroup pids.max limits naturally constrain thread creation. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" }, { "cve": "CVE-2026-33179", "url": "https://ubuntu.com/security/CVE-2026-33179", "cve_description": "libfuse is the reference implementation of the Linux FUSE. From version 3.18.0 to before version 3.18.2, a NULL pointer dereference and memory leak in fuse_uring_init_queue allows a local user to crash the FUSE daemon or cause resource exhaustion. When numa_alloc_local fails during io_uring queue entry setup, the code proceeds with NULL pointers. When fuse_uring_register_queue fails, NUMA allocations are leaked and the function incorrectly returns success. Only the io_uring transport is affected; the traditional /dev/fuse path is not affected. PoC confirmed with AddressSanitizer/LeakSanitizer. This issue has been patched in version 3.18.2.", "cve_priority": "medium", "cve_public_date": "2026-03-20 21:17:00 UTC" } ], "log": [ "", " * New upstream release:", " - fixes CVE-2026-33150, use-after-free vulnerability in the io_uring", " subsystem,", " - fixes CVE-2026-33179, NULL pointer dereference and memory leak in", " fuse_uring_init_queue() .", "" ], "package": "fuse3", "version": "3.18.2-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 21 Mar 2026 08:16:43 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcc-s1", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260322-1ubuntu1", "version": "16-20260322-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260322-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:31:44 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260322).", " - Fix PR target/123852 (SH), bootstrap on sh4.", " - ga68: add missing symbols to libga68/ga68.map. Closes: #1130580.", " * Update sh-bootstrap-compare patch (Adrian Glaubitz). Closes: #1130857.", " * For backports, require at least GCC 11 for the bootstrap.", "" ], "package": "gcc-16", "version": "16-20260322-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:29:00 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "liblzma5", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.8.2-2", "version": "5.8.2-2" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.8.3-1", "version": "5.8.3-1" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * Import 5.8.3", " - Includes security fix for CVE-2026-34743, for which upstream states it’s", " likely that this bug cannot be triggered in any real-world application,", " see https://tukaani.org/xz/index-append-overflow.html (Closes: #1132497)", " - Autotools: Enable 32-bit x86 assembler on Hurd by default", " - New man pages in Arabic", "" ], "package": "xz-utils", "version": "5.8.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Otto Kekäläinen ", "date": "Wed, 01 Apr 2026 00:00:00 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [ 2145061, 2147446, 2071747 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP: #2145061)", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP: #2147446).", " * d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", "" ], "package": "netplan.io", "version": "1.2-1ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145061, 2147446 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 08 Apr 2026 16:47:32 -0300" }, { "cves": [], "log": [ "", " * d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP: #2071747)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2071747 ], "author": "Guilherme Puida Moreira ", "date": "Fri, 20 Mar 2026 16:09:27 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpam-systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.55-1", "version": "1.6.55-1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.57-1", "version": "1.6.57-1" }, "cves": [ { "cve": "CVE-2026-34757", "url": "https://ubuntu.com/security/CVE-2026-34757", "cve_description": "[Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST` leading to corrupted chunk data and potential heap information disclosure]", "cve_priority": "medium", "cve_public_date": "2026-04-09" }, { "cve": "CVE-2026-33416", "url": "https://ubuntu.com/security/CVE-2026-33416", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" }, { "cve": "CVE-2026-33636", "url": "https://ubuntu.com/security/CVE-2026-33636", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34757", "url": "https://ubuntu.com/security/CVE-2026-34757", "cve_description": "[Use-after-free in `png_set_PLTE`, `png_set_tRNS` and `png_set_hIST` leading to corrupted chunk data and potential heap information disclosure]", "cve_priority": "medium", "cve_public_date": "2026-04-09" } ], "log": [ "", " * New upstream version 1.6.57", " - CVE-2026-34757 - heap information disclosure (Closes: #1133051)", "" ], "package": "libpng1.6", "version": "1.6.57-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Sun, 12 Apr 2026 18:08:25 +0200" }, { "cves": [ { "cve": "CVE-2026-33416", "url": "https://ubuntu.com/security/CVE-2026-33416", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, `png_set_tRNS` and `png_set_PLTE` each alias a heap-allocated buffer between `png_struct` and `png_info`, sharing a single allocation across two structs with independent lifetimes. The `trans_alpha` aliasing has been present since at least libpng 1.0, and the `palette` aliasing since at least 1.2.1. Both affect all prior release lines `png_set_tRNS` sets `png_ptr->trans_alpha = info_ptr->trans_alpha` (256-byte buffer) and `png_set_PLTE` sets `info_ptr->palette = png_ptr->palette` (768-byte buffer). In both cases, calling `png_free_data` (with `PNG_FREE_TRNS` or `PNG_FREE_PLTE`) frees the buffer through `info_ptr` while the corresponding `png_ptr` pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to `png_set_tRNS` or `png_set_PLTE` has the same effect, because both functions call `png_free_data` internally before reallocating the `info_ptr` buffer. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" }, { "cve": "CVE-2026-33636", "url": "https://ubuntu.com/security/CVE-2026-33636", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.6.36 through 1.6.55, an out-of-bounds read and write exists in libpng's ARM/AArch64 Neon-optimized palette expansion path. When expanding 8-bit paletted rows to RGB or RGBA, the Neon loop processes a final partial chunk without verifying that enough input pixels remain. Because the implementation works backward from the end of the row, the final iteration dereferences pointers before the start of the row buffer (OOB read) and writes expanded pixel data to the same underflowed positions (OOB write). This is reachable via normal decoding of attacker-controlled PNG input if Neon is enabled. Version 1.6.56 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-03-26 17:16:00 UTC" } ], "log": [ "", " * New upstream release 1.6.56", " - CVE-2026-33416 - Use after free (Closes: #1132012)", " - CVE-2026-33636 - OOB read/write (Closes: #1132013)", "" ], "package": "libpng1.6", "version": "1.6.56-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Tobias Frost ", "date": "Sun, 29 Mar 2026 08:36:13 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3-stdlib", "from_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu1", "version": "3.14.3-0ubuntu1" }, "to_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu2", "version": "3.14.3-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to re-trigger autopkg tests.", "" ], "package": "python3-defaults", "version": "3.14.3-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 10:46:40 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14-minimal", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2147343 ], "changes": [ { "cves": [], "log": [ "", " * Python 3.14.4 release.", " * Also post-process the _sysconfig_vars_*.json files, like done for the", " _sysconfigdata_*.py files.", " * Fix the base_interpreter path in the build-details_*.json files.", " * Don't ship the build-details_*.json file for the debug interpreter,", " because it is installed under the same name as the one for the normal", " build. Still has different contents. PEP 739 deficiency ...", " * Explicitly build-depend on uuid-dev. LP: #2147343.", " * Update VCS attributes", "" ], "package": "python3.14", "version": "3.14.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2147343 ], "author": "Matthias Klose ", "date": "Wed, 08 Apr 2026 06:02:31 +0200" }, { "cves": [], "log": [ "", " * Update more autopkg test cases for 3.14.", "" ], "package": "python3.14", "version": "3.14.3-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 28 Mar 2026 07:06:58 +0100" }, { "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Update to the 3.14 branch 2026-03-27.", " * Security issues addressed on the 3.14 branch: CVE-2026-2297,", " CVE-2026-3644, CVE-2026-4224, CVE-2025-13462.", " * Security issues not yet addressed:", " - CVE-2026-3479, CVE-2026-4519, CVE-2025-12781.", " - CVE-2025-15366, CVE-2025-15367: Not backporting these as they are", " potentially breaking some existing behavior.", " * Update autopkg test dependencies for 3.14.", " * Update symbols file.", " * Fix some lintian warnings.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.3-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Mar 2026 12:51:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14-stdlib", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2147343 ], "changes": [ { "cves": [], "log": [ "", " * Python 3.14.4 release.", " * Also post-process the _sysconfig_vars_*.json files, like done for the", " _sysconfigdata_*.py files.", " * Fix the base_interpreter path in the build-details_*.json files.", " * Don't ship the build-details_*.json file for the debug interpreter,", " because it is installed under the same name as the one for the normal", " build. Still has different contents. PEP 739 deficiency ...", " * Explicitly build-depend on uuid-dev. LP: #2147343.", " * Update VCS attributes", "" ], "package": "python3.14", "version": "3.14.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2147343 ], "author": "Matthias Klose ", "date": "Wed, 08 Apr 2026 06:02:31 +0200" }, { "cves": [], "log": [ "", " * Update more autopkg test cases for 3.14.", "" ], "package": "python3.14", "version": "3.14.3-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 28 Mar 2026 07:06:58 +0100" }, { "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Update to the 3.14 branch 2026-03-27.", " * Security issues addressed on the 3.14 branch: CVE-2026-2297,", " CVE-2026-3644, CVE-2026-4224, CVE-2025-13462.", " * Security issues not yet addressed:", " - CVE-2026-3479, CVE-2026-4519, CVE-2025-12781.", " - CVE-2025-15366, CVE-2025-15367: Not backporting these as they are", " potentially breaking some existing behavior.", " * Update autopkg test dependencies for 3.14.", " * Update symbols file.", " * Fix some lintian warnings.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.3-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Mar 2026 12:51:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssl3t64", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu1", "version": "3.5.5-1ubuntu1" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3", "version": "3.5.5-1ubuntu3" }, "cves": [ { "cve": "CVE-2026-2673", "url": "https://ubuntu.com/security/CVE-2026-2673", "cve_description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-03-13 19:54:00 UTC" }, { "cve": "CVE-2026-28387", "url": "https://ubuntu.com/security/CVE-2026-28387", "cve_description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28388", "url": "https://ubuntu.com/security/CVE-2026-28388", "cve_description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28389", "url": "https://ubuntu.com/security/CVE-2026-28389", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28390", "url": "https://ubuntu.com/security/CVE-2026-28390", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31789", "url": "https://ubuntu.com/security/CVE-2026-31789", "cve_description": "Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31790", "url": "https://ubuntu.com/security/CVE-2026-31790", "cve_description": "Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-04-07 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143932, 2141933 ], "changes": [ { "cves": [ { "cve": "CVE-2026-2673", "url": "https://ubuntu.com/security/CVE-2026-2673", "cve_description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-03-13 19:54:00 UTC" }, { "cve": "CVE-2026-28387", "url": "https://ubuntu.com/security/CVE-2026-28387", "cve_description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28388", "url": "https://ubuntu.com/security/CVE-2026-28388", "cve_description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28389", "url": "https://ubuntu.com/security/CVE-2026-28389", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28390", "url": "https://ubuntu.com/security/CVE-2026-28390", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31789", "url": "https://ubuntu.com/security/CVE-2026-31789", "cve_description": "Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31790", "url": "https://ubuntu.com/security/CVE-2026-31790", "cve_description": "Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-04-07 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OpenSSL TLS 1.3 server may choose unexpected key", " agreement group", " - debian/patches/CVE-2026-2673.patch: fix group tuple handling in", " DEFAULT expansion in doc/man3/SSL_CTX_set1_curves.pod,", " ssl/t1_lib.c, test/tls13groupselection_test.c.", " - CVE-2026-2673", " * SECURITY UPDATE: NULL pointer dereference when processing an OCSP", " response", " - debian/patches/CVE-2026-28387.patch: dane_match_cert() should", " X509_free() on ->mcert instead of OPENSSL_free() in", " crypto/x509/x509_vfy.c.", " - CVE-2026-28387", " * SECURITY UPDATE: NULL Pointer Dereference When Processing a Delta CRL", " - debian/patches/CVE-2026-28388-1.patch: fix NULL Dereference When", " Delta CRL Lacks CRL Number Extension in crypto/x509/x509_vfy.c.", " - debian/patches/CVE-2026-28388-2.patch: Added test in test/*.", " - CVE-2026-28388", " * SECURITY UPDATE: Possible NULL dereference when processing CMS", " KeyAgreeRecipientInfo", " - debian/patches/CVE-2026-28389.patch: Fix NULL deref in", " [ec]dh_cms_set_shared_info in crypto/cms/cms_dh.c,", " crypto/cms/cms_ec.c.", " - CVE-2026-28389", " * SECURITY UPDATE: Possible NULL Dereference When Processing CMS", " KeyTransportRecipientInfo", " - debian/patches/CVE-2026-28390.patch: Fix NULL deref in", " rsa_cms_decrypt in crypto/cms/cms_rsa.c.", " - CVE-2026-28390", " * SECURITY UPDATE: Heap buffer overflow in hexadecimal conversion", " - debian/patches/CVE-2026-31789.patch: avoid possible buffer overflow", " in buf2hex conversion in crypto/o_str.c.", " - CVE-2026-31789", " * SECURITY UPDATE: Incorrect failure handling in RSA KEM RSASVE", " encapsulation", " - debian/patches/CVE-2026-31790-1.patch: validate RSA_public_encrypt()", " result in RSASVE in providers/implementations/kem/rsa_kem.c.", " - debian/patches/CVE-2026-31790-2.patch: test RSA_public_encrypt()", " result in RSASVE in test/evp_extra_test.c.", " - CVE-2026-31790", "" ], "package": "openssl", "version": "3.5.5-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 07 Apr 2026 08:05:56 -0400" }, { "cves": [], "log": [ "", " [ Eric Berry ]", " * Rename crypto-Add-jitterentropy-fips-mode-detection.patch to", " crypto-add-userspace-fips-mode-detection.patch (LP: #2143932)", "", " [ Joao Gomes ]", " * Fallback to default provider when in FIPS mode and FIPS provider fails to", " load. (LP: #2141933)", " - d/p/fips/crypto-Fallback-to-default-provider-when-FIPS-provider.patch", "" ], "package": "openssl", "version": "3.5.5-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143932, 2141933 ], "author": "Ravi Kant Sharma ", "date": "Mon, 16 Mar 2026 17:56:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libstdc++6", "from_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260315-1ubuntu1", "version": "16-20260315-1ubuntu1" }, "to_version": { "source_package_name": "gcc-16", "source_package_version": "16-20260322-1ubuntu1", "version": "16-20260322-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian; remaining changes:", " - Build from upstream sources.", " - Work-around the 80GB chroot size on the Ubuntu buildds.", "" ], "package": "gcc-16", "version": "16-20260322-1ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:31:44 +0100" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk (20260322).", " - Fix PR target/123852 (SH), bootstrap on sh4.", " - ga68: add missing symbols to libga68/ga68.map. Closes: #1130580.", " * Update sh-bootstrap-compare patch (Adrian Glaubitz). Closes: #1130857.", " * For backports, require at least GCC 11 for the bootstrap.", "" ], "package": "gcc-16", "version": "16-20260322-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 22 Mar 2026 09:29:00 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd-shared", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsystemd0", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtirpc-common", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.6+ds-1ubuntu1", "version": "1.3.6+ds-1ubuntu1" }, "to_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.7-0.1", "version": "1.3.7-0.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Non-maintainer upload.", " * New upstream version 1.3.7 (Closes: #1097279)", " * Drop \"Rules-Requires-Root: no\": it is the default now", " * Bump Standards-Version to 4.7.3, drop Priority: tag", " * Drop build-dep on dpkg-dev, this is not meant to be backported", " * Refresh patches", "" ], "package": "libtirpc", "version": "1.3.7-0.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Alexandre Detiste ", "date": "Sat, 28 Mar 2026 12:23:08 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtirpc3t64", "from_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.6+ds-1ubuntu1", "version": "1.3.6+ds-1ubuntu1" }, "to_version": { "source_package_name": "libtirpc", "source_package_version": "1.3.7-0.1", "version": "1.3.7-0.1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Non-maintainer upload.", " * New upstream version 1.3.7 (Closes: #1097279)", " * Drop \"Rules-Requires-Root: no\": it is the default now", " * Bump Standards-Version to 4.7.3, drop Priority: tag", " * Drop build-dep on dpkg-dev, this is not meant to be backported", " * Refresh patches", "" ], "package": "libtirpc", "version": "1.3.7-0.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Alexandre Detiste ", "date": "Sat, 28 Mar 2026 12:23:08 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libudev1", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-base", "from_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu4", "version": "4.15ubuntu4" }, "to_version": { "source_package_name": "linux-base", "source_package_version": "4.15ubuntu5", "version": "4.15ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [ 2146533 ], "changes": [ { "cves": [], "log": [ "", " * d/linux-base.links: Add new linux-firmware-amd-misc package", " (LP: #2146533)", "" ], "package": "linux-base", "version": "4.15ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146533 ], "author": "Juerg Haefliger ", "date": "Tue, 07 Apr 2026 09:37:18 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-13.13", "version": "7.0.0-13.13" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-13.13", "" ], "package": "linux-meta", "version": "7.0.0-13.13", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 08 Apr 2026 06:57:43 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-12.12", "" ], "package": "linux-meta", "version": "7.0.0-12.12", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Thu, 02 Apr 2026 10:42:36 +0300" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-11.11", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", "", " * Miscellaneous Ubuntu changes", " - [Packaging] Update oem transitionals", " - [Packaging] Add transitionals for hwe-24.04", "" ], "package": "linux-meta", "version": "7.0.0-11.11", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Tue, 31 Mar 2026 15:32:02 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [ 2145061, 2147446, 2071747 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP: #2145061)", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP: #2147446).", " * d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", "" ], "package": "netplan.io", "version": "1.2-1ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145061, 2147446 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 08 Apr 2026 16:47:32 -0300" }, { "cves": [], "log": [ "", " * d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP: #2071747)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2071747 ], "author": "Guilherme Puida Moreira ", "date": "Fri, 20 Mar 2026 16:09:27 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [ 2145061, 2147446, 2071747 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP: #2145061)", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP: #2147446).", " * d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", "" ], "package": "netplan.io", "version": "1.2-1ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145061, 2147446 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 08 Apr 2026 16:47:32 -0300" }, { "cves": [], "log": [ "", " * d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP: #2071747)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2071747 ], "author": "Guilherme Puida Moreira ", "date": "Fri, 20 Mar 2026 16:09:27 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu1", "version": "3.5.5-1ubuntu1" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3", "version": "3.5.5-1ubuntu3" }, "cves": [ { "cve": "CVE-2026-2673", "url": "https://ubuntu.com/security/CVE-2026-2673", "cve_description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-03-13 19:54:00 UTC" }, { "cve": "CVE-2026-28387", "url": "https://ubuntu.com/security/CVE-2026-28387", "cve_description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28388", "url": "https://ubuntu.com/security/CVE-2026-28388", "cve_description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28389", "url": "https://ubuntu.com/security/CVE-2026-28389", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28390", "url": "https://ubuntu.com/security/CVE-2026-28390", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31789", "url": "https://ubuntu.com/security/CVE-2026-31789", "cve_description": "Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31790", "url": "https://ubuntu.com/security/CVE-2026-31790", "cve_description": "Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-04-07 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143932, 2141933 ], "changes": [ { "cves": [ { "cve": "CVE-2026-2673", "url": "https://ubuntu.com/security/CVE-2026-2673", "cve_description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-03-13 19:54:00 UTC" }, { "cve": "CVE-2026-28387", "url": "https://ubuntu.com/security/CVE-2026-28387", "cve_description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28388", "url": "https://ubuntu.com/security/CVE-2026-28388", "cve_description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28389", "url": "https://ubuntu.com/security/CVE-2026-28389", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28390", "url": "https://ubuntu.com/security/CVE-2026-28390", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31789", "url": "https://ubuntu.com/security/CVE-2026-31789", "cve_description": "Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31790", "url": "https://ubuntu.com/security/CVE-2026-31790", "cve_description": "Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-04-07 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OpenSSL TLS 1.3 server may choose unexpected key", " agreement group", " - debian/patches/CVE-2026-2673.patch: fix group tuple handling in", " DEFAULT expansion in doc/man3/SSL_CTX_set1_curves.pod,", " ssl/t1_lib.c, test/tls13groupselection_test.c.", " - CVE-2026-2673", " * SECURITY UPDATE: NULL pointer dereference when processing an OCSP", " response", " - debian/patches/CVE-2026-28387.patch: dane_match_cert() should", " X509_free() on ->mcert instead of OPENSSL_free() in", " crypto/x509/x509_vfy.c.", " - CVE-2026-28387", " * SECURITY UPDATE: NULL Pointer Dereference When Processing a Delta CRL", " - debian/patches/CVE-2026-28388-1.patch: fix NULL Dereference When", " Delta CRL Lacks CRL Number Extension in crypto/x509/x509_vfy.c.", " - debian/patches/CVE-2026-28388-2.patch: Added test in test/*.", " - CVE-2026-28388", " * SECURITY UPDATE: Possible NULL dereference when processing CMS", " KeyAgreeRecipientInfo", " - debian/patches/CVE-2026-28389.patch: Fix NULL deref in", " [ec]dh_cms_set_shared_info in crypto/cms/cms_dh.c,", " crypto/cms/cms_ec.c.", " - CVE-2026-28389", " * SECURITY UPDATE: Possible NULL Dereference When Processing CMS", " KeyTransportRecipientInfo", " - debian/patches/CVE-2026-28390.patch: Fix NULL deref in", " rsa_cms_decrypt in crypto/cms/cms_rsa.c.", " - CVE-2026-28390", " * SECURITY UPDATE: Heap buffer overflow in hexadecimal conversion", " - debian/patches/CVE-2026-31789.patch: avoid possible buffer overflow", " in buf2hex conversion in crypto/o_str.c.", " - CVE-2026-31789", " * SECURITY UPDATE: Incorrect failure handling in RSA KEM RSASVE", " encapsulation", " - debian/patches/CVE-2026-31790-1.patch: validate RSA_public_encrypt()", " result in RSASVE in providers/implementations/kem/rsa_kem.c.", " - debian/patches/CVE-2026-31790-2.patch: test RSA_public_encrypt()", " result in RSASVE in test/evp_extra_test.c.", " - CVE-2026-31790", "" ], "package": "openssl", "version": "3.5.5-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 07 Apr 2026 08:05:56 -0400" }, { "cves": [], "log": [ "", " [ Eric Berry ]", " * Rename crypto-Add-jitterentropy-fips-mode-detection.patch to", " crypto-add-userspace-fips-mode-detection.patch (LP: #2143932)", "", " [ Joao Gomes ]", " * Fallback to default provider when in FIPS mode and FIPS provider fails to", " load. (LP: #2141933)", " - d/p/fips/crypto-Fallback-to-default-provider-when-FIPS-provider.patch", "" ], "package": "openssl", "version": "3.5.5-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143932, 2141933 ], "author": "Ravi Kant Sharma ", "date": "Mon, 16 Mar 2026 17:56:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssl-provider-legacy", "from_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu1", "version": "3.5.5-1ubuntu1" }, "to_version": { "source_package_name": "openssl", "source_package_version": "3.5.5-1ubuntu3", "version": "3.5.5-1ubuntu3" }, "cves": [ { "cve": "CVE-2026-2673", "url": "https://ubuntu.com/security/CVE-2026-2673", "cve_description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-03-13 19:54:00 UTC" }, { "cve": "CVE-2026-28387", "url": "https://ubuntu.com/security/CVE-2026-28387", "cve_description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28388", "url": "https://ubuntu.com/security/CVE-2026-28388", "cve_description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28389", "url": "https://ubuntu.com/security/CVE-2026-28389", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28390", "url": "https://ubuntu.com/security/CVE-2026-28390", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31789", "url": "https://ubuntu.com/security/CVE-2026-31789", "cve_description": "Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31790", "url": "https://ubuntu.com/security/CVE-2026-31790", "cve_description": "Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-04-07 22:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2143932, 2141933 ], "changes": [ { "cves": [ { "cve": "CVE-2026-2673", "url": "https://ubuntu.com/security/CVE-2026-2673", "cve_description": "Issue summary: An OpenSSL TLS 1.3 server may fail to negotiate the expected preferred key exchange group when its key exchange group configuration includes the default by using the 'DEFAULT' keyword. Impact summary: A less preferred key exchange may be used even when a more preferred group is supported by both client and server, if the group was not included among the client's initial predicated keyshares. This will sometimes be the case with the new hybrid post-quantum groups, if the client chooses to defer their use until specifically requested by the server. If an OpenSSL TLS 1.3 server's configuration uses the 'DEFAULT' keyword to interpolate the built-in default group list into its own configuration, perhaps adding or removing specific elements, then an implementation defect causes the 'DEFAULT' list to lose its 'tuple' structure, and all server-supported groups were treated as a single sufficiently secure 'tuple', with the server not sending a Hello Retry Request (HRR) even when a group in a more preferred tuple was mutually supported. As a result, the client and server might fail to negotiate a mutually supported post-quantum key agreement group, such as 'X25519MLKEM768', if the client's configuration results in only 'classical' groups (such as 'X25519' being the only ones in the client's initial keyshare prediction). OpenSSL 3.5 and later support a new syntax for selecting the most preferred TLS 1.3 key agreement group on TLS servers. The old syntax had a single 'flat' list of groups, and treated all the supported groups as sufficiently secure. If any of the keyshares predicted by the client were supported by the server the most preferred among these was selected, even if other groups supported by the client, but not included in the list of predicted keyshares would have been more preferred, if included. The new syntax partitions the groups into distinct 'tuples' of roughly equivalent security. Within each tuple the most preferred group included among the client's predicted keyshares is chosen, but if the client supports a group from a more preferred tuple, but did not predict any corresponding keyshares, the server will ask the client to retry the ClientHello (by issuing a Hello Retry Request or HRR) with the most preferred mutually supported group. The above works as expected when the server's configuration uses the built-in default group list, or explicitly defines its own list by directly defining the various desired groups and group 'tuples'. No OpenSSL FIPS modules are affected by this issue, the code in question lies outside the FIPS boundary. OpenSSL 3.6 and 3.5 are vulnerable to this issue. OpenSSL 3.6 users should upgrade to OpenSSL 3.6.2 once it is released. OpenSSL 3.5 users should upgrade to OpenSSL 3.5.6 once it is released. OpenSSL 3.4, 3.3, 3.0, 1.0.2 and 1.1.1 are not affected by this issue.", "cve_priority": "low", "cve_public_date": "2026-03-13 19:54:00 UTC" }, { "cve": "CVE-2026-28387", "url": "https://ubuntu.com/security/CVE-2026-28387", "cve_description": "Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28388", "url": "https://ubuntu.com/security/CVE-2026-28388", "cve_description": "Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28389", "url": "https://ubuntu.com/security/CVE-2026-28389", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-28390", "url": "https://ubuntu.com/security/CVE-2026-28390", "cve_description": "Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31789", "url": "https://ubuntu.com/security/CVE-2026-31789", "cve_description": "Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.", "cve_priority": "low", "cve_public_date": "2026-04-07 22:16:00 UTC" }, { "cve": "CVE-2026-31790", "url": "https://ubuntu.com/security/CVE-2026-31790", "cve_description": "Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue.", "cve_priority": "medium", "cve_public_date": "2026-04-07 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OpenSSL TLS 1.3 server may choose unexpected key", " agreement group", " - debian/patches/CVE-2026-2673.patch: fix group tuple handling in", " DEFAULT expansion in doc/man3/SSL_CTX_set1_curves.pod,", " ssl/t1_lib.c, test/tls13groupselection_test.c.", " - CVE-2026-2673", " * SECURITY UPDATE: NULL pointer dereference when processing an OCSP", " response", " - debian/patches/CVE-2026-28387.patch: dane_match_cert() should", " X509_free() on ->mcert instead of OPENSSL_free() in", " crypto/x509/x509_vfy.c.", " - CVE-2026-28387", " * SECURITY UPDATE: NULL Pointer Dereference When Processing a Delta CRL", " - debian/patches/CVE-2026-28388-1.patch: fix NULL Dereference When", " Delta CRL Lacks CRL Number Extension in crypto/x509/x509_vfy.c.", " - debian/patches/CVE-2026-28388-2.patch: Added test in test/*.", " - CVE-2026-28388", " * SECURITY UPDATE: Possible NULL dereference when processing CMS", " KeyAgreeRecipientInfo", " - debian/patches/CVE-2026-28389.patch: Fix NULL deref in", " [ec]dh_cms_set_shared_info in crypto/cms/cms_dh.c,", " crypto/cms/cms_ec.c.", " - CVE-2026-28389", " * SECURITY UPDATE: Possible NULL Dereference When Processing CMS", " KeyTransportRecipientInfo", " - debian/patches/CVE-2026-28390.patch: Fix NULL deref in", " rsa_cms_decrypt in crypto/cms/cms_rsa.c.", " - CVE-2026-28390", " * SECURITY UPDATE: Heap buffer overflow in hexadecimal conversion", " - debian/patches/CVE-2026-31789.patch: avoid possible buffer overflow", " in buf2hex conversion in crypto/o_str.c.", " - CVE-2026-31789", " * SECURITY UPDATE: Incorrect failure handling in RSA KEM RSASVE", " encapsulation", " - debian/patches/CVE-2026-31790-1.patch: validate RSA_public_encrypt()", " result in RSASVE in providers/implementations/kem/rsa_kem.c.", " - debian/patches/CVE-2026-31790-2.patch: test RSA_public_encrypt()", " result in RSASVE in test/evp_extra_test.c.", " - CVE-2026-31790", "" ], "package": "openssl", "version": "3.5.5-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Tue, 07 Apr 2026 08:05:56 -0400" }, { "cves": [], "log": [ "", " [ Eric Berry ]", " * Rename crypto-Add-jitterentropy-fips-mode-detection.patch to", " crypto-add-userspace-fips-mode-detection.patch (LP: #2143932)", "", " [ Joao Gomes ]", " * Fallback to default provider when in FIPS mode and FIPS provider fails to", " load. (LP: #2141933)", " - d/p/fips/crypto-Fallback-to-default-provider-when-FIPS-provider.patch", "" ], "package": "openssl", "version": "3.5.5-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2143932, 2141933 ], "author": "Ravi Kant Sharma ", "date": "Mon, 16 Mar 2026 17:56:16 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "pollinate", "from_version": { "source_package_name": "pollinate", "source_package_version": "4.33-4ubuntu5", "version": "4.33-4ubuntu5" }, "to_version": { "source_package_name": "pollinate", "source_package_version": "4.33-4ubuntu6", "version": "4.33-4ubuntu6" }, "cves": [], "launchpad_bugs_fixed": [ 2146451 ], "changes": [ { "cves": [], "log": [ "", " * Remove certificate pinning (LP: #2146451)", " - Curl will now use the system ca-certificates to validate the server", " cert which will allow a graceful transition during the upcoming", " certificate renewal and prevent machines from booting without", " seeded entropy.", "" ], "package": "pollinate", "version": "4.33-4ubuntu6", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146451 ], "author": "Marc Deslauriers ", "date": "Tue, 31 Mar 2026 08:31:33 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3", "from_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu1", "version": "3.14.3-0ubuntu1" }, "to_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu2", "version": "3.14.3-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to re-trigger autopkg tests.", "" ], "package": "python3-defaults", "version": "3.14.3-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 10:46:40 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apport", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.34.0-0ubuntu2", "version": "2.34.0-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2148184, 2147545, 2145810, 2139266 ], "changes": [ { "cves": [], "log": [ "", " * fix Default-to-Ubuntu-crash-DB.patch to default to ubuntu again", " (LP: #2148184)", "" ], "package": "apport", "version": "2.34.0-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148184 ], "author": "Benjamin Drung ", "date": "Mon, 13 Apr 2026 13:51:00 +0200" }, { "cves": [], "log": [ "", " * New upstream release (LP: #2147545)", " - fix broken `DEVLINKS` property after anonymizing udevdb (LP: #2145810)", " * Drop patches applied upstream and refresh remaining patches", " * test: check Python code in debian/package-hooks if present", " * Add Pre-Depends to apport-core-dump-handler", " * Update debian/watch to version 5", " * Bump Standards-Version to 4.7.4", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * autopkgtest:", " - run system UI tests separately", " - split tests that need Internet access into system-tests-internet", " * apport: depend on python3-systemd when using systemd-coredump (LP: #2139266)", "" ], "package": "apport", "version": "2.34.0-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147545, 2145810, 2139266 ], "author": "Benjamin Drung ", "date": "Fri, 10 Apr 2026 00:46:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-cryptography", "from_version": { "source_package_name": "python-cryptography", "source_package_version": "46.0.5-1ubuntu1", "version": "46.0.5-1ubuntu1" }, "to_version": { "source_package_name": "python-cryptography", "source_package_version": "46.0.5-1ubuntu2", "version": "46.0.5-1ubuntu2" }, "cves": [ { "cve": "CVE-2026-34073", "url": "https://ubuntu.com/security/CVE-2026-34073", "cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.", "cve_priority": "medium", "cve_public_date": "2026-03-31 03:15:00 UTC" }, { "cve": "CVE-2026-39892", "url": "https://ubuntu.com/security/CVE-2026-39892", "cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.", "cve_priority": "medium", "cve_public_date": "2026-04-09" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34073", "url": "https://ubuntu.com/security/CVE-2026-34073", "cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.", "cve_priority": "medium", "cve_public_date": "2026-03-31 03:15:00 UTC" }, { "cve": "CVE-2026-39892", "url": "https://ubuntu.com/security/CVE-2026-39892", "cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulnerability is fixed in 46.0.7.", "cve_priority": "medium", "cve_public_date": "2026-04-09" } ], "log": [ "", " * SECURITY UPDATE: DNS name constraints issue", " - debian/patches/CVE-2026-34073.patch: further restrict DNS wildcards", " in name constraint matching in", " src/rust/cryptography-x509-verification/src/lib.rs,", " src/rust/cryptography-x509-verification/src/types.rs,", " tests/x509/verification/test_limbo.py.", " - CVE-2026-34073", " * SECURITY UPDATE: buffer overflow via use of non-contiguous buffers", " - debian/patches/CVE-2026-39892.patch: enforce contiguous buffers in", " src/rust/src/buf.rs, tests/hazmat/primitives/test_hashes.py.", " - CVE-2026-39892", "" ], "package": "python-cryptography", "version": "46.0.5-1ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 10 Apr 2026 14:00:06 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.10", "version": "1:26.04.10" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.14", "version": "1:26.04.14" }, "cves": [], "launchpad_bugs_fixed": [ 2147255, 2147293, 2147278, 2146635, 2074309, 2146383 ], "changes": [ { "cves": [], "log": [ "", " * DistUpgradeQuirks: Move systemd-coredump quirk from PreDistUpgradeCache", " to PostDistUpgradeCache so marks survive the apt resolver, and re-mark", " the KDE metapackage for upgrade if held back (LP: #2147255, #2147293)", " * Several fixes for the KDE frontend (LP: #2147278):", " - Fix black window by using local QEventLoop instead of", " app.exec()/app.exit() pattern that breaks under Qt6", " - Fix terminal output not auto-scrolling with new lines", " - Fix Qt6 scoped enum references (QMessageBox.Icon,", " QTextCursor.MoveOperation, Qt.WindowType, QMessageBox.StandardButton)", " - Add PyQtCompat.py shim to support both PyQt5 (24.04) and PyQt6", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.14", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147255, 2147293, 2147278 ], "author": "Erich Eickmeyer ", "date": "Sat, 04 Apr 2026 11:57:19 -0700" }, { "cves": [], "log": [ "", " [ Erich Eickmeyer ]", " * DistUpgradeQuirks: For Kubuntu and Ubuntu Studio, switch from", " apport-core-dump-handler to systemd-coredump (LP: #2146635)", "", " [ Nick Rosbrook ]", " * Run pre-build.sh: updating mirrors.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.13", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146635 ], "author": "Erich Eickmeyer ", "date": "Thu, 02 Apr 2026 11:58:32 -0400" }, { "cves": [], "log": [ "", " [ Guilherme Puida Moreira ]", " * DistUpgraderQuirks: add check when upgrading RabbitMQ (LP: #2074309)", "", " [ Nick Rosbrook ]", " * Run pre-build.sh: updating mirrors and translations.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.12", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2074309 ], "author": "Nick Rosbrook ", "date": "Mon, 30 Mar 2026 09:26:19 -0400" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: Fail on ancient boot EEPROM for Pi 5 (LP: #2146383)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.11", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146383 ], "author": "Dave Jones ", "date": "Fri, 27 Mar 2026 14:07:24 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-gi", "from_version": { "source_package_name": "pygobject", "source_package_version": "3.56.1-2", "version": "3.56.1-2" }, "to_version": { "source_package_name": "pygobject", "source_package_version": "3.56.2-1", "version": "3.56.2-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", "" ], "package": "pygobject", "version": "3.56.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Alessandro Astone ", "date": "Tue, 07 Apr 2026 17:53:23 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-jwt", "from_version": { "source_package_name": "pyjwt", "source_package_version": "2.10.1-4", "version": "2.10.1-4" }, "to_version": { "source_package_name": "pyjwt", "source_package_version": "2.10.1-4ubuntu1", "version": "2.10.1-4ubuntu1" }, "cves": [ { "cve": "CVE-2026-32597", "url": "https://ubuntu.com/security/CVE-2026-32597", "cve_description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "cve_priority": "medium", "cve_public_date": "2026-03-13 19:55:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-32597", "url": "https://ubuntu.com/security/CVE-2026-32597", "cve_description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.", "cve_priority": "medium", "cve_public_date": "2026-03-13 19:55:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Incorrect authorization of invalid JWS token.", " - debian/patches/CVE-2026-32597.patch: Add _supported_crit and checks", " for valid crit header in jwt/api_jws.py. Add tests in", " tests/test_api_jws.py and tests/test_api_jwt.py.", " - CVE-2026-32597", "" ], "package": "pyjwt", "version": "2.10.1-4ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 30 Mar 2026 12:15:21 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-minimal", "from_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu1", "version": "3.14.3-0ubuntu1" }, "to_version": { "source_package_name": "python3-defaults", "source_package_version": "3.14.3-0ubuntu2", "version": "3.14.3-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * No-change rebuild to re-trigger autopkg tests.", "" ], "package": "python3-defaults", "version": "3.14.3-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 21 Mar 2026 10:46:40 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu3", "version": "1.2-1ubuntu3" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.2-1ubuntu5", "version": "1.2-1ubuntu5" }, "cves": [], "launchpad_bugs_fixed": [ 2145061, 2147446, 2071747 ], "changes": [ { "cves": [], "log": [ "", " * d/p/lp2145061-wpa-supplicant-requires-netplan-configure.patch: add", " Requires=/After= dependency on netplan-configure.service to wpa supplicant", " units. (LP: #2145061)", " * d/p/lp2147446-state-label-DHCPv4-using-networkd-ConfigSource.patch: use", " networkd to apply dhcp labels to addresses (LP: #2147446).", " * d/p/tests-only-consider-netplan-generated-files.patch: skip checking file", " permissions for files not managed by netplan in integration tests.", "" ], "package": "netplan.io", "version": "1.2-1ubuntu5", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145061, 2147446 ], "author": "Guilherme Puida Moreira ", "date": "Wed, 08 Apr 2026 16:47:32 -0300" }, { "cves": [], "log": [ "", " * d/p/lp2071747-unresolvable-network-cycle.patch: fix network ordering cycle", " (LP: #2071747)", "" ], "package": "netplan.io", "version": "1.2-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2071747 ], "author": "Guilherme Puida Moreira ", "date": "Fri, 20 Mar 2026 16:09:27 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-problem-report", "from_version": { "source_package_name": "apport", "source_package_version": "2.33.1-0ubuntu7", "version": "2.33.1-0ubuntu7" }, "to_version": { "source_package_name": "apport", "source_package_version": "2.34.0-0ubuntu2", "version": "2.34.0-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2148184, 2147545, 2145810, 2139266 ], "changes": [ { "cves": [], "log": [ "", " * fix Default-to-Ubuntu-crash-DB.patch to default to ubuntu again", " (LP: #2148184)", "" ], "package": "apport", "version": "2.34.0-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148184 ], "author": "Benjamin Drung ", "date": "Mon, 13 Apr 2026 13:51:00 +0200" }, { "cves": [], "log": [ "", " * New upstream release (LP: #2147545)", " - fix broken `DEVLINKS` property after anonymizing udevdb (LP: #2145810)", " * Drop patches applied upstream and refresh remaining patches", " * test: check Python code in debian/package-hooks if present", " * Add Pre-Depends to apport-core-dump-handler", " * Update debian/watch to version 5", " * Bump Standards-Version to 4.7.4", " * Remove redundant Priority: optional and Rules-Requires-Root: no", " * autopkgtest:", " - run system UI tests separately", " - split tests that need Internet access into system-tests-internet", " * apport: depend on python3-systemd when using systemd-coredump (LP: #2139266)", "" ], "package": "apport", "version": "2.34.0-0ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147545, 2145810, 2139266 ], "author": "Benjamin Drung ", "date": "Fri, 10 Apr 2026 00:46:39 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-rpds-py", "from_version": { "source_package_name": "rpds-py", "source_package_version": "0.27.1-2ubuntu1", "version": "0.27.1-2ubuntu1" }, "to_version": { "source_package_name": "rpds-py", "source_package_version": "0.27.1-2ubuntu3", "version": "0.27.1-2ubuntu3" }, "cves": [], "launchpad_bugs_fixed": [ 2147337 ], "changes": [ { "cves": [], "log": [ "", " * d/p/support-riscv64a23-target.patch: Add Riscv64a23 support", " (LP: #2147337)", "" ], "package": "rpds-py", "version": "0.27.1-2ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147337 ], "author": "Nadzeya Hutsko ", "date": "Mon, 06 Apr 2026 21:26:45 +0200" }, { "cves": [], "log": [ "", " * No-change rebuild to drop Python 3.13 bits.", "" ], "package": "rpds-py", "version": "0.27.1-2ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 20 Mar 2026 12:02:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.14", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2147343 ], "changes": [ { "cves": [], "log": [ "", " * Python 3.14.4 release.", " * Also post-process the _sysconfig_vars_*.json files, like done for the", " _sysconfigdata_*.py files.", " * Fix the base_interpreter path in the build-details_*.json files.", " * Don't ship the build-details_*.json file for the debug interpreter,", " because it is installed under the same name as the one for the normal", " build. Still has different contents. PEP 739 deficiency ...", " * Explicitly build-depend on uuid-dev. LP: #2147343.", " * Update VCS attributes", "" ], "package": "python3.14", "version": "3.14.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2147343 ], "author": "Matthias Klose ", "date": "Wed, 08 Apr 2026 06:02:31 +0200" }, { "cves": [], "log": [ "", " * Update more autopkg test cases for 3.14.", "" ], "package": "python3.14", "version": "3.14.3-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 28 Mar 2026 07:06:58 +0100" }, { "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Update to the 3.14 branch 2026-03-27.", " * Security issues addressed on the 3.14 branch: CVE-2026-2297,", " CVE-2026-3644, CVE-2026-4224, CVE-2025-13462.", " * Security issues not yet addressed:", " - CVE-2026-3479, CVE-2026-4519, CVE-2025-12781.", " - CVE-2025-15366, CVE-2025-15367: Not backporting these as they are", " potentially breaking some existing behavior.", " * Update autopkg test dependencies for 3.14.", " * Update symbols file.", " * Fix some lintian warnings.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.3-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Mar 2026 12:51:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.14-minimal", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.3-3", "version": "3.14.3-3" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2147343 ], "changes": [ { "cves": [], "log": [ "", " * Python 3.14.4 release.", " * Also post-process the _sysconfig_vars_*.json files, like done for the", " _sysconfigdata_*.py files.", " * Fix the base_interpreter path in the build-details_*.json files.", " * Don't ship the build-details_*.json file for the debug interpreter,", " because it is installed under the same name as the one for the normal", " build. Still has different contents. PEP 739 deficiency ...", " * Explicitly build-depend on uuid-dev. LP: #2147343.", " * Update VCS attributes", "" ], "package": "python3.14", "version": "3.14.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2147343 ], "author": "Matthias Klose ", "date": "Wed, 08 Apr 2026 06:02:31 +0200" }, { "cves": [], "log": [ "", " * Update more autopkg test cases for 3.14.", "" ], "package": "python3.14", "version": "3.14.3-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sat, 28 Mar 2026 07:06:58 +0100" }, { "cves": [ { "cve": "CVE-2026-2297", "url": "https://ubuntu.com/security/CVE-2026-2297", "cve_description": "The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.", "cve_priority": "medium", "cve_public_date": "2026-03-04 23:16:00 UTC" }, { "cve": "CVE-2026-3644", "url": "https://ubuntu.com/security/CVE-2026-3644", "cve_description": "The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2026-4224", "url": "https://ubuntu.com/security/CVE-2026-4224", "cve_description": "When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.", "cve_priority": "medium", "cve_public_date": "2026-03-16 18:16:00 UTC" }, { "cve": "CVE-2025-13462", "url": "https://ubuntu.com/security/CVE-2025-13462", "cve_description": "The \"tarfile\" module would still apply normalization of AREGTYPE (\\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.", "cve_priority": "medium", "cve_public_date": "2026-03-12 18:16:00 UTC" }, { "cve": "CVE-2026-3479", "url": "https://ubuntu.com/security/CVE-2026-3479", "cve_description": "DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.", "cve_priority": "medium", "cve_public_date": "2026-03-18 19:16:00 UTC" }, { "cve": "CVE-2026-4519", "url": "https://ubuntu.com/security/CVE-2026-4519", "cve_description": "The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().", "cve_priority": "medium", "cve_public_date": "2026-03-20 15:16:00 UTC" }, { "cve": "CVE-2025-12781", "url": "https://ubuntu.com/security/CVE-2025-12781", "cve_description": "When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the \"base64\" module the characters \"+/\" will always be accepted, regardless of the value of \"altchars\" parameter, typically used to establish an \"alternative base64 alphabet\" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without \"+/\"). If your application does not use the \"altchars\" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted \"+\" or \"/\" outside of altchars.", "cve_priority": "medium", "cve_public_date": "2026-01-21 20:16:00 UTC" }, { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * Update to the 3.14 branch 2026-03-27.", " * Security issues addressed on the 3.14 branch: CVE-2026-2297,", " CVE-2026-3644, CVE-2026-4224, CVE-2025-13462.", " * Security issues not yet addressed:", " - CVE-2026-3479, CVE-2026-4519, CVE-2025-12781.", " - CVE-2025-15366, CVE-2025-15367: Not backporting these as they are", " potentially breaking some existing behavior.", " * Update autopkg test dependencies for 3.14.", " * Update symbols file.", " * Fix some lintian warnings.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.3-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Fri, 27 Mar 2026 12:51:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-resolved", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "systemd-sysv", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "tzdata", "from_version": { "source_package_name": "tzdata", "source_package_version": "2026a-1ubuntu1", "version": "2026a-1ubuntu1" }, "to_version": { "source_package_name": "tzdata", "source_package_version": "2026a-3ubuntu1", "version": "2026a-3ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2140307 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable. Remaining changes:", " - Ship 2026a ICU timezone data which are utilized by PHP in tzdata-icu", " - Add autopkgtest test case for ICU timezone data", " - Point Vcs-Browser/Git to Launchpad", " - Declare breaking rust-coreutils before version 0.5.0", "" ], "package": "tzdata", "version": "2026a-3ubuntu1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Fri, 10 Apr 2026 11:26:40 +0200" }, { "cves": [], "log": [ "", " * Also test leapseconds exiry during build (using changelog timestamp)", "" ], "package": "tzdata", "version": "2026a-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 02 Apr 2026 23:25:05 +0200" }, { "cves": [], "log": [ "", " * Add autopkgtest to check for outdated leap-seconds.list (LP: #2140307)", " * Bump Standards-Version to 4.7.4", "" ], "package": "tzdata", "version": "2026a-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2140307 ], "author": "Benjamin Drung ", "date": "Wed, 01 Apr 2026 14:45:54 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.10", "version": "1:26.04.10" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.14", "version": "1:26.04.14" }, "cves": [], "launchpad_bugs_fixed": [ 2147255, 2147293, 2147278, 2146635, 2074309, 2146383 ], "changes": [ { "cves": [], "log": [ "", " * DistUpgradeQuirks: Move systemd-coredump quirk from PreDistUpgradeCache", " to PostDistUpgradeCache so marks survive the apt resolver, and re-mark", " the KDE metapackage for upgrade if held back (LP: #2147255, #2147293)", " * Several fixes for the KDE frontend (LP: #2147278):", " - Fix black window by using local QEventLoop instead of", " app.exec()/app.exit() pattern that breaks under Qt6", " - Fix terminal output not auto-scrolling with new lines", " - Fix Qt6 scoped enum references (QMessageBox.Icon,", " QTextCursor.MoveOperation, Qt.WindowType, QMessageBox.StandardButton)", " - Add PyQtCompat.py shim to support both PyQt5 (24.04) and PyQt6", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.14", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147255, 2147293, 2147278 ], "author": "Erich Eickmeyer ", "date": "Sat, 04 Apr 2026 11:57:19 -0700" }, { "cves": [], "log": [ "", " [ Erich Eickmeyer ]", " * DistUpgradeQuirks: For Kubuntu and Ubuntu Studio, switch from", " apport-core-dump-handler to systemd-coredump (LP: #2146635)", "", " [ Nick Rosbrook ]", " * Run pre-build.sh: updating mirrors.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.13", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146635 ], "author": "Erich Eickmeyer ", "date": "Thu, 02 Apr 2026 11:58:32 -0400" }, { "cves": [], "log": [ "", " [ Guilherme Puida Moreira ]", " * DistUpgraderQuirks: add check when upgrading RabbitMQ (LP: #2074309)", "", " [ Nick Rosbrook ]", " * Run pre-build.sh: updating mirrors and translations.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.12", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2074309 ], "author": "Nick Rosbrook ", "date": "Mon, 30 Mar 2026 09:26:19 -0400" }, { "cves": [], "log": [ "", " * DistUpgradeQuirks: Fail on ancient boot EEPROM for Pi 5 (LP: #2146383)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.11", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146383 ], "author": "Dave Jones ", "date": "Fri, 27 Mar 2026 14:07:24 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "udev", "from_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu1", "version": "259.5-0ubuntu1" }, "to_version": { "source_package_name": "systemd", "source_package_version": "259.5-0ubuntu2", "version": "259.5-0ubuntu2" }, "cves": [], "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "changes": [ { "cves": [], "log": [ "", " * Fix handling of VMADDR_CID_ANY in a couple places (LP: #2145027)", " - ssh-proxy: return an error if user supplies VMADDR_CID_ANY", " - socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()", " * network-generator: support BOOTIF= and rd.bootif=0 options (LP: #2141588)", " * tmpfiles: remove duplicate /run/lock definition (LP: #2146544)", "" ], "package": "systemd", "version": "259.5-0ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2145027, 2141588, 2146544 ], "author": "Nick Rosbrook ", "date": "Thu, 02 Apr 2026 08:31:45 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "unattended-upgrades", "from_version": { "source_package_name": "unattended-upgrades", "source_package_version": "2.12ubuntu7", "version": "2.12ubuntu7" }, "to_version": { "source_package_name": "unattended-upgrades", "source_package_version": "2.12ubuntu9", "version": "2.12ubuntu9" }, "cves": [], "launchpad_bugs_fixed": [ 2146446 ], "changes": [ { "cves": [], "log": [ "", " * Repack the source without including the .git", "" ], "package": "unattended-upgrades", "version": "2.12ubuntu9", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Sebastien Bacher ", "date": "Fri, 27 Mar 2026 08:46:37 +0100" }, { "cves": [], "log": [ "", " * Adapt to pygobject change of GLib.Idle.set_callback parameters,", " fixing crash and FTBFS (LP: #2146446)", "" ], "package": "unattended-upgrades", "version": "2.12ubuntu8", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146446 ], "author": "Alessandro Astone ", "date": "Thu, 26 Mar 2026 12:47:31 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu2", "version": "2:9.1.2141-1ubuntu2" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "cves": [ { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * debian/patches/0004-skip-autocmd-test-failing-on-s390x-only.patch:", " - Skip tests failing on s390x", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Tue, 14 Apr 2026 09:13:44 -0400" }, { "cves": [ { "cve": "CVE-2026-32249", "url": "https://ubuntu.com/security/CVE-2026-32249", "cve_description": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "cve_priority": "medium", "cve_public_date": "2026-03-12 20:16:00 UTC" }, { "cve": "CVE-2026-33412", "url": "https://ubuntu.com/security/CVE-2026-33412", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.", "cve_priority": "medium", "cve_public_date": "2026-03-24 20:16:00 UTC" }, { "cve": "CVE-2026-34714", "url": "https://ubuntu.com/security/CVE-2026-34714", "cve_description": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.", "cve_priority": "medium", "cve_public_date": "2026-03-30 19:16:00 UTC" }, { "cve": "CVE-2026-34982", "url": "https://ubuntu.com/security/CVE-2026-34982", "cve_description": "Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.", "cve_priority": "medium", "cve_public_date": "2026-04-06 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference in the NFA regex engine.", " - debian/patches/CVE-2026-32249.patch: Add range_endpoint and if checks", " in src/regexp_nfa.c. Add tests in src/testdir/test_regexp_utf8.vim.", " - CVE-2026-32249", " * SECURITY UPDATE: Command injection in glob.", " - debian/patches/CVE-2026-33412.patch: Add newline to SHELL_SPECIAL in", " src/os_unix.c.", " - CVE-2026-33412", " * SECURITY UPDATE: Command injection in tabpanel.", " - debian/patches/CVE-2026-34714.patch: Add check_restricted check_secure", " if check in src/autocmd.c. Add P_MLE in src/optiondefs.h. Add tests in", " src/testdir/test_autocmd.vim and src/testdir/test_tabpanel.vim.", " - CVE-2026-34714", " * SECURITY UPDATE: Command injection in modeline.", " - debian/patches/CVE-2026-34982.patch: Add check_secure in src/map.c. Add", " P_MLE in src/optiondefs.h. Add tests in src/testdir/test_modeline.vim.", " - debian/patches/CVE-2026-34982-post1.patch: Remove failing test and add", " more s:modeline_fails in src/testdir/test_modeline.vim.", " - CVE-2026-34982", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu3", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Tue, 31 Mar 2026 16:50:02 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "xz-utils", "from_version": { "source_package_name": "xz-utils", "source_package_version": "5.8.2-2", "version": "5.8.2-2" }, "to_version": { "source_package_name": "xz-utils", "source_package_version": "5.8.3-1", "version": "5.8.3-1" }, "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-34743", "url": "https://ubuntu.com/security/CVE-2026-34743", "cve_description": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "cve_priority": "low", "cve_public_date": "2026-04-02 19:21:00 UTC" } ], "log": [ "", " * Import 5.8.3", " - Includes security fix for CVE-2026-34743, for which upstream states it’s", " likely that this bug cannot be triggered in any real-world application,", " see https://tukaani.org/xz/index-append-overflow.html (Closes: #1132497)", " - Autotools: Enable 32-bit x86 assembler on Hurd by default", " - New man pages in Arabic", "" ], "package": "xz-utils", "version": "5.8.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Otto Kekäläinen ", "date": "Wed, 01 Apr 2026 00:00:00 +0000" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-7.0.0-13-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-10.10", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-13.13", "version": "7.0.0-13.13" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-13.13", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "7.0.0-13.13", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 08 Apr 2026 06:58:42 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-12.12", "", " * Packaging resync (LP: #1786013)", " - [Packaging] resync debian/templates", "" ], "package": "linux-signed", "version": "7.0.0-12.12", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Timo Aaltonen ", "date": "Thu, 02 Apr 2026 10:42:46 +0300" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-11.11", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "7.0.0-11.11", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Tue, 31 Mar 2026 15:32:18 +0200" } ], "notes": "linux-image-7.0.0-13-generic version '7.0.0-13.13' (source package linux-signed version '7.0.0-13.13') was added. linux-image-7.0.0-13-generic version '7.0.0-13.13' has the same source package name, linux-signed, as removed package linux-image-7.0.0-10-generic. As such we can use the source package version of the removed package, '7.0.0-10.10', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-main-modules-zfs-7.0.0-13-generic", "from_version": { "source_package_name": null, "source_package_version": null, "version": null }, "to_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-13.13", "version": "7.0.0-13.13" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-13.13", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", " - [Packaging] debian/dkms-versions -- update from kernel-versions", " (main/d2026.04.07)", "" ], "package": "linux-main-signed", "version": "7.0.0-13.13", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 08 Apr 2026 06:59:33 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-12.12", "" ], "package": "linux-main-signed", "version": "7.0.0-12.12", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Thu, 02 Apr 2026 10:43:09 +0300" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-11.11", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", " - [Packaging] debian/tracking-bug -- resync from main package", " - [Packaging] debian/dkms-versions -- update from kernel-versions", " (main/d2026.03.30)", "", " * Miscellaneous upstream changes", " - Remove version in Provides field in the linux-signed package", "" ], "package": "linux-main-signed", "version": "7.0.0-11.11", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Tue, 31 Mar 2026 15:34:37 +0200" } ], "notes": "For a newly added package only the three most recent changelog entries are shown.", "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-13-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-13.13", "version": "7.0.0-13.13" }, "cves": [], "launchpad_bugs_fixed": [ 2147403, 2136820, 2147447, 2144712, 2116144, 2146778, 1786013, 2147005, 1981437, 1990064, 2144679, 2142956, 2139664, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143301, 2143902, 2145171, 2138328, 2144856, 2142403, 2144643, 2121477 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-13.13 -proposed tracker (LP: #2147403)", "", " * ubuntu_kselftests:_net/net:gre_gso.sh failing (LP: #2136820)", " - SAUCE increase socat timeout in gre_gso.sh", "", " * Canonical Kmod 2025 key rotation (LP: #2147447)", " - [Packaging] ubuntu-compatible-signing -- make Ubuntu-Compatible-Signing", " extensible", " - [Packaging] ubuntu-compatible-signing -- allow consumption of positive", " certs", " - [Packaging] ubuntu-compatible-signing -- report the livepatch:2025 key", " - [Config] prepare for Canonical Kmod key rotation", " - [Packaging] ubuntu-compatible-signing -- report the kmod:2025 key", " - [Packaging] ensure our cert rollups are always fresh", "", " * On Dell system, the internal OLED display drops to a visibly low FPS after", " suspend/resume (LP: #2144712)", " - drm/i915/psr: Disable Panel Replay on Dell XPS 14 DA14260 as a quirk", " - drm/i915/psr: Fixes for Dell XPS DA14260 quirk", "", " * Realtek RTL8116AF SFP option module fails to get connected (LP: #2116144)", " - SAUCE: r8169: add quirk for RTL8116af SerDes", "", " * Miscellaneous Ubuntu changes", " - [Config] updateconfigs following v7.0-rc7 rebase", "" ], "package": "linux", "version": "7.0.0-13.13", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147403, 2136820, 2147447, 2144712, 2116144 ], "author": "Paolo Pisati ", "date": "Wed, 08 Apr 2026 06:56:37 +0200" }, { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-12.12 -proposed tracker (LP: #2146778)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] update variants", "", " * linux-generic does not run scripts in /usr/share/kernel/*.d (LP: #2147005)", " - [Packaging] templates: Use consistent indentation", " - [Packaging] templates: Run scripts in /usr/share/kernel/*.d too", "", " * RISC-V kernel config is out of sync with other archs (LP: #1981437)", " - [Config] riscv64: Enable COUNTER=m", " - [Config] riscv64: Use GENDWARFKSYMS like other architectures", "", " * unconfined profile denies userns_create for chromium based processes", " (LP: #1990064)", " - [Config] disable CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS", "", " * FFe: add network interface mediation to 26.04 (LP: #2144679)", " - SAUCE: apparmor5.0.0 [57/57]: apparmor: add the ability to use interface", " in network mediation.", "", " * Jellyfin Desktop Flatpak doesn't work with the current AppArmor profile", " (LP: #2142956)", " - SAUCE: apparmor5.0.0 [29/57]: apparmor: fix fine grained inet mediation", " sock_file_perm", " - SAUCE: apparmor5.0.0 [30/57]: apparmor-next 7.1: aapparmor: use target", " task's context in apparmor_getprocattr()", " - SAUCE: apparmor5.0.0 [31/57]: apparmor-next 7.1: apparmor: return error", " on namespace mismatch in verify_header", " - SAUCE: apparmor5.0.0 [32/57]: apparmor-next 7.1: apparmor: enable", " differential encoding", " - SAUCE: apparmor5.0.0 [33/57]: apparmor-next 7.1: apparmor: propagate", " -ENOMEM correctly in unpack_table", " - SAUCE: apparmor5.0.0 [34/57]: apparmor-next 7.1: apparmor: Replace", " memcpy + NUL termination with kmemdup_nul in do_setattr", " - SAUCE: apparmor5.0.0 [35/57]: apparmor-next 7.1: apparmor: Remove", " redundant if check in sk_peer_get_label", " - SAUCE: apparmor5.0.0 [36/57]: apparmor-next 7.1: apparmor: use", " __label_make_stale in __aa_proxy_redirect", " - SAUCE: apparmor5.0.0 [37/57]: apparmor-next 7.1: apparmor: fix net.h and", " policy.h circular include pattern", " - SAUCE: apparmor5.0.0 [39/57]: apparmor-next 7.1: apparmor: make include", " headers self-contained", " - SAUCE: apparmor5.0.0 [40/57]: apparmor-next 7.1: apparmor: Use", " sysfs_emit in param_get_{audit,mode}", " - SAUCE: apparmor5.0.0 [41/57]: apparmor-next 7.1: apparmor: fix", " rawdata_f_data implicit flex array", " - SAUCE: apparmor5.0.0 [42/57]: apparmor-next 7.1: apparmor: free rawdata", " as soon as possible", " - SAUCE: apparmor5.0.0 [43/57]: apparmor-next 7.1: apparmor: Initial", " support for compressed policies", " - SAUCE: apparmor5.0.0 [44/57]: apparmor-next 7.1: apparmor: fix potential", " UAF in aa_replace_profiles", " - SAUCE: apparmor5.0.0 [45/57]: apparmor-next 7.1: apparmor: hide unused", " get_loaddata_common_ref() function", " - SAUCE: apparmor5.0.0 [46/57]: apparmor-next 7.1: apparmor: Fix string", " overrun due to missing termination", " - SAUCE: apparmor5.0.0 [47/57]: apparmor: fix packed tag on v5 header", " struct", " - SAUCE: apparmor5.0.0 [48/57]: apparmor: add temporal caching to audit", " responses.", " - SAUCE: apparmor5.0.0 [49/57]: apparmor: change fn_label_build() call to", " not return NULL", " - SAUCE: apparmor5.0.0 [50/57]: apparmor: make fn_label_build() capable of", " handling not supported", " - SAUCE: apparmor5.0.0 [51/57]: apparmor: move netfilter functions next to", " the LSM network operations", " - SAUCE: apparmor5.0.0 [52/57]: apparmor: move sock_rvc_skb() next to", " inet_conn_request", " - SAUCE: apparmor5.0.0 [53/57]: apparmor: fix af_unix local addr mediation", " binding", " - SAUCE: apparmor5.0.0 [54/57]: cleanups of apparmor af_unix mediation", " - SAUCE: apparmor5.0.0 [55/57]: apparmor: fix apparmor_secmark_check()", " when !inet and secmark defined.", " - SAUCE: apparmor5.0.0 [56/57]: apparmor: fix auditing of non-mediation", " falures", "", " * snap service cannot change apparmor hat (LP: #2139664) // Jellyfin Desktop", " Flatpak doesn't work with the current AppArmor profile (LP: #2142956)", " - SAUCE: apparmor5.0.0 [38/57]: apparmor-next 7.1: apparmor: grab ns lock", " and refresh when looking up changehat child profiles", "", " * AppArmor blocks write(2) to network sockets with Linux 6.19 (LP: #2141298)", " - SAUCE: apparmor5.0.0 [28/57]: apparmor: fix aa_label_sk_perm to check", " for RULE_MEDIATES_NET", "", " * update apparmor and LSM stacking patch set (LP: #2028253)", " - SAUCE: apparmor5.0.0 [1/57]: Stacking: LSM: Single calls in secid hooks", " - SAUCE: apparmor5.0.0 [2/57]: Stacking: LSM: Exclusive secmark usage", " - SAUCE: apparmor5.0.0 [3/57]: Stacking: AppArmor: Remove the exclusive", " flag", " - SAUCE: apparmor5.0.0 [4/57]: Revert \"apparmor: fix dbus permission", " queries to v9 ABI\"", " - SAUCE: apparmor5.0.0 [5/57]: Revert \"apparmor: gate make fine grained", " unix mediation behind v9 abi\"", " - SAUCE: apparmor5.0.0 [6/57]: apparmor: net: patch to provide", " compatibility with v2.x net rules", " - SAUCE: apparmor5.0.0 [7/57]: apparmor: net: add fine grained ipv4/ipv6", " mediation", " - SAUCE: apparmor5.0.0 [8/57]: apparmor: lift compatibility check out of", " profile_af_perm", " - SAUCE: apparmor5.0.0 [9/57]: apparmor: userns: add unprivileged user ns", " mediation", " - SAUCE: apparmor5.0.0 [10/57]: apparmor: userns: Add sysctls for", " additional controls of unpriv userns restrictions", " - SAUCE: apparmor5.0.0 [12/57]: apparmor: userns: open userns related", " sysctl so lxc can check if restriction are in place", " - SAUCE: apparmor5.0.0 [13/57]: apparmor: userns: allow profile to be", " transitioned when a userns is created", " - SAUCE: apparmor5.0.0 [14/57]: apparmor: mqueue: call", " security_inode_init_security on inode creation", " - SAUCE: apparmor5.0.0 [15/57]: apparmor: mqueue: add fine grained", " mediation of posix mqueues", " - SAUCE: apparmor5.0.0 [16/57]: apparmor: uring: add io_uring mediation", " - SAUCE: apparmor5.0.0 [19/57]: apparmor: prompt: setup slab cache for", " audit data", " - SAUCE: apparmor5.0.0 [20/57]: apparmor: prompt: add the ability for", " profiles to have a learning cache", " - SAUCE: apparmor5.0.0 [21/57]: apparmor: prompt: enable userspace upcall", " for mediation", " - SAUCE: apparmor5.0.0 [22/57]: apparmor: prompt: pass prompt boolean", " through into path_name as well", " - SAUCE: apparmor5.0.0 [23/57]: apparmor: check for supported version in", " notification messages.", " - SAUCE: apparmor5.0.0 [24/57]: apparmor: refactor building notice so it", " is easier to extend", " - SAUCE: apparmor5.0.0 [25/57]: apparmor: switch from ENOTSUPP to", " EPROTONOSUPPORT", " - SAUCE: apparmor5.0.0 [26/57]: apparmor: add support for meta data tags", " - SAUCE: apparmor5.0.0 [27/57]: apparmor: prevent profile->disconnected", " double free in aa_free_profile", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // Installation", " of AppArmor on a 6.14 kernel produces error message \"Illegal number: yes\"", " (LP: #2102680)", " - SAUCE: apparmor5.0.0 [17/57]: apparmor: create an", " AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant", " - SAUCE: apparmor5.0.0 [18/57]: apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT", " for userns and io_uring sysctls", "", " * update apparmor and LSM stacking patch set (LP: #2028253) // [FFe]", " apparmor-4.0.0-alpha2 for unprivileged user namespace restrictions in", " mantic (LP: #2032602)", " - SAUCE: apparmor5.0.0 [11/57]: apparmor: userns - make it so special", " unconfined profiles can mediate user namespaces", "", " * Enable new Intel WCL soundwire support (LP: #2143301)", " - ASoC: sdw_utils: Add CS42L43B codec info", " - ASoC: dt-bindings: cirrus, cs42l43: Add CS42L43B variant", " - mfd: cs42l43: Add support for the B variant", " - ASoC: cs42l43: Add support for the B variant", "", " * Enable audio functions on Dell Huracan/Renegade platforms w/o built-in", " microphone (LP: #2143902)", " - ASoC: SDCA: Add default value for mipi-sdca-function-reset-max-delay", " - ASoC: SDCA: Update counting of SU/GE DAPM routes", " - ASoC: SDCA: Improve mapping of Q7.8 SDCA volumes", " - ASoC: SDCA: Pull the Q7.8 volume helpers out of soc-ops", " - ASoC: add snd_soc_lookup_component_by_name helper", " - ASoC: soc_sdw_utils: partial match the codec name", " - ASoC: soc_sdw_utils: remove index from sdca codec name", "", " * [SRU] MIPI camera is not working after upgrading to 6.17-oem", " (LP: #2145171)", " - SAUCE: ACPI: respect items already in honor_dep before skipping", "", " * linux-tools: consider linking perf against LLVM (LP: #2138328)", " - [Packaging] Actually enable llvm for perf", "", " * Pull patch in qla2xxx to Resolute (LP: #2144856)", " - scsi: qla2xxx: Add support to report MPI FW state", "", " * Ubuntu Resolute Desktop image arm64 - Boot on SC8280XP stalls with gpi-dma", " errors (LP: #2142403)", " - Revert \"arm64: dts: qcom: sc8280xp: Enable GPI DMA\"", "", " * 26.04 Snapdragon X Elite: Sync concept kernel changes (LP: #2144643)", " - SAUCE: arm64: dts: add missing denali-oled.dtb to Makefile", " - SAUCE: dt-bindings: phy: qcom: Add CSI2 C-PHY/DPHY schema", " - SAUCE: phy: qcom-mipi-csi2: Add a CSI2 MIPI DPHY driver", " - SAUCE: dt-bindings: media: qcom,x1e80100-camss: Add simple-mfd", " compatible", " - SAUCE: dt-bindings: media: qcom,x1e80100-camss: Add optional PHY handle", " definitions", " - SAUCE: dt-bindings: media: qcom,x1e80100-camss: Add support for combo-", " mode endpoints", " - SAUCE: dt-bindings: media: qcom,x1e80100-camss: Describe iommu entries", " - SAUCE: media: qcom: camss: Add legacy_phy flag to SoC definition", " structures", " - SAUCE: media: qcom: camss: Add support for PHY API devices", " - SAUCE: media: qcom: camss: Drop legacy PHY descriptions from x1e", " - SAUCE: arm64: dts: qcom: x1e80100: Add CAMCC block definition", " - SAUCE: arm64: dts: qcom: x1e80100: Add CCI definitions", " - SAUCE: arm64: dts: qcom: x1e80100: Add CAMSS block definition", " - SAUCE: arm64: dts: qcom: x1e80100-crd: Add pm8010 CRD pmic,id=m", " regulators", " - SAUCE: arm64: dts: qcom: x1e80100-crd: Add ov08x40 RGB sensor on CSIPHY4", " - SAUCE: arm64: dts: qcom: x1e80100-t14s: Add pm8010 camera PMIC with", " voltage levels for IR and RGB camera", " - SAUCE: arm64: dts: qcom: x1e80100-t14s: Add on ov02c10 RGB sensor on", " CSIPHY4", " - SAUCE: arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: Add pm8010 camera", " PMIC with voltage levels for IR and RGB camera", " - SAUCE: arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: Add l7b_2p8", " voltage regulator for RGB camera", " - SAUCE: arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: Add ov02c10 RGB", " sensor on CSIPHY4", " - SAUCE: arm64: dts: qcom: x1e80100-dell-inspiron14-7441: Switch on CAMSS", " RGB sensor", " - SAUCE: arm64: dts: qcom: x1-asus-zenbook-a14: Add on OV02C10 RGB sensor", " on CSIPHY4", " - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: add camera support", " - SAUCE: arm64: dts: qcom: x1e78100-t14s: enable camera privacy indicator", " - SAUCE: arm64: dts: qcom: x1e80100-lenovo-yoga-slim7x: enable camera", " privacy indicator", " - SAUCE: arm64: dts: qcom: x1e80100-dell-xps13-9345: enable camera privacy", " indicator", " - SAUCE: dt-bindings: arm: qcom: Add ASUS Vivobook X1P42100 variant", " - SAUCE: arm64: dts: qcom: x1-vivobook-s15: create a common dtsi for Hamoa", " and Purwa variants", " - SAUCE: arm64: dts: qcom: x1-vivobook-s15: add Purwa-compatible device", " tree", " - SAUCE: firmware: qcom: scm: allow QSEECOM on ASUS Vivobook X1P42100", " variant", " - SAUCE: arm64: dts: qcom: hamoa: Move PCIe PERST and Wake GPIOs to port", " nodes", " - SAUCE: arm64: dts: qcom: x1e-acer-swift-14: Move PCIe PERST and Wake", " GPIOs to port nodes", "", " * 25.10 Snapdragon X Elite: Sync concept kernel changes (LP: #2121477)", " - SAUCE: wip: arm64: dts: qcom: x1e78100-t14s: enable bluetooth", "", " * Miscellaneous Ubuntu changes", " - SAUCE: dt-bindings: arm: qcom: Document HP EliteBook 6 G1q", " - SAUCE: firmware: qcom: scm: Allow QSEECOM for HP EliteBook 6 G1q", " - SAUCE: arm64: dts: qcom: x1p42100-hp-elitebook-6-g1q: DT for HP", " EliteBook 6 G1q", " - [Config] PHY_QCOM_MIPI_CSI2=m", " - SAUCE: arm64: dts: x1e80100-lenovo-yoga-slim7x: Fix RGB camera supplies", " - [Config] toolchain version update", " - Update Changes.md after v7.0-rc5 rebase", " - [Packaging] update Ubuntu.md", " - [Config] enable SECURITY_APPARMOR_PACKET_MEDIATION_ENABLED", " - [Packaging] Add linux-main-modules-zfs to linux-modules depends", "", " * Miscellaneous upstream changes", " - Revert \"UBUNTU: SAUCE: Add Bluetooth support for the Lenovo Yoga Slim", " 7x\"", "" ], "package": "linux", "version": "7.0.0-12.12", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2146778, 1786013, 2147005, 1981437, 1990064, 2144679, 2142956, 2139664, 2142956, 2141298, 2028253, 2028253, 2102680, 2028253, 2032602, 2143301, 2143902, 2145171, 2138328, 2144856, 2142403, 2144643, 2121477 ], "author": "Timo Aaltonen ", "date": "Thu, 02 Apr 2026 11:50:22 +0300" } ], "notes": "linux-modules-7.0.0-13-generic version '7.0.0-13.13' (source package linux version '7.0.0-13.13') was added. linux-modules-7.0.0-13-generic version '7.0.0-13.13' has the same source package name, linux, as removed package linux-modules-7.0.0-10-generic. As such we can use the source package version of the removed package, '7.0.0-10.10', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-7.0.0-10-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-10-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-10.10", "version": "7.0.0-10.10" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.04 resolute image from daily image serial 20260329 to 20260415", "from_series": "resolute", "to_series": "resolute", "from_serial": "20260329", "to_serial": "20260415", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }