10/04/2026, commit https://github.com/canonical/core-base/tree/0e53f34c2bc17afa2e3923d3a892087dc09def81 [ Changes in the core24 snap ] Philip Meulengracht (2): snapcraft: bump to 24.04.4 tests/lib: use the pack command [ Changes in primed packages ] apparmor, libapparmor1:arm64 (built from apparmor) updated from 4.0.1really4.0.1-0ubuntu0.24.04.5 to 4.0.1really4.0.1-0ubuntu0.24.04.6: apparmor (4.0.1really4.0.1-0ubuntu0.24.04.6) noble; urgency=medium * This is an SRU, tracked in LP: #2143863 * Add patch to remove the busybox and nautilus profiles (LP: #2142792): - d/p/u/delete-the-busybox-and-nautilus-profiles.patch * d/apparmor.install, d/apparmor.maintscript: account for removal of the busybox and nautilus profiles * Add patches to fix socketpair regression test (LP: #2124206): - d/p/u/-0002-tests-regression-fix-regression-test-for-upstream.patch - d/p/u/-0001-tests-regressions-fix-unix_socket_pathname.sh-for.patch - d/p/u/0000-tests-regression-increase-unix-socket-test-timeout.patch - d/p/u/0001-tests-regression-Update-socketpair-test-for-upstream.patch - d/p/u/0002-tests-regression-update-socketpair-tests-to-detect-d.patch - d/p/u/0003-tests-regression-update-tests-requires-for-v9-af_unix.patch - d/p/u/0004-tests-regression-Improve-output-of-require_any_of_k.patch - d/p/u/0005-tests-regression-update-network-requirements-for-v9.patch - d/p/u/0006-regression-tests-update-logic-to-support-v9-af_unix-.patch - d/p/u/0007-tests-regressions-Fix-socket-pair-for-v7-semantics.patch * Add patches to fix libapparmor features parsing (LP: #2105986): - d/p/u/libapparmor-feature-match-prefixes.patch - d/p/u/libapparmor-bump-patch-version-for-features-prefix.patch - d/p/u/libapparmor-add-test-for-libapparmor-features-prefix.patch * Add patch to fix parser handling of norelatime mount flag (LP: #2110688): - d/p/u/parser-fix-handling-of-norelatime-mount-rule-flag.patch * Add patch to fix incorrect man page information (LP: #2110630) - d/p/u/fix-incorrect-mount-flag-apparmor.d-docs.patch * Add patch to add regression tests for the above two patches: - d/p/u/regression-verify-documented-mount-flag-behavior.patch -- Ryan Lee Fri, 20 Feb 2026 15:51:51 -0800 coreutils (built from coreutils) updated from 9.4-3ubuntu6.1 to 9.4-3ubuntu6.2: coreutils (9.4-3ubuntu6.2) noble; urgency=medium * Fix slow performance of 'du' on large directories (>= 10K files) on Lustre filesystems by skipping inode sorting. The default behaviour of sorting dirents by inode numbers negatively impacts performance on Lustre because it interferes with Lustre's ability to prefetch file metadata via statahead. (LP: #2137373) - d/p/lp2137373-skip-dirent-inode-sorting-for-lustre.patch -- Munir Siddiqui Fri, 23 Jan 2026 18:30:04 +0500 gdbserver (built from gdb) updated from 15.0.50.20240403-0ubuntu1 to 15.1-1ubuntu1~24.04.1: gdb (15.1-1ubuntu1~24.04.1) noble; urgency=medium * Add support for the latest IBM z17 hardware generation (LP: #2108997): - d/p/lp-2108997-s390-Add-arch15-instruction-names.patch - d/p/lp-2108997-s390-Add-arch15-Concurrent-Functions-Facility-insns.patch - d/p/lp-2108997-s390-Add-support-for-z17-as-CPU-name.patch - d/p/lp-2108997-s390-Simplify-dis-assembly-of-insn-operands.patch - d/p/lp-2108997-s390-Add-arch15-instructions.patch -- Vladimir Petko Thu, 05 Feb 2026 14:58:28 +1300 gdb (15.1-1ubuntu1~24.04) noble-proposed; urgency=medium * SRU: LP: #2073363: Backport the 15.1 release to 24.04 LTS. -- Matthias Klose Sat, 10 Aug 2024 09:43:02 +0200 gdb (15.1-1ubuntu1) oracular; urgency=medium * Merge with Debian; remaining Ubuntu changes: - build from upstream tarball - debian/control: - removed gdb-minimal package - added gdb-doc package - added (build-)dependency libc6-dbg on armhf - exclude libsource-highlight-dev on i386 - debian/control.in: - added (build-)dependency libc6-dbg on armhf - exclude libsource-highlight-dev on i386 - debian/patches/series: - apply patches gdb-strings and ptrace-error-verbosity - debian/gdb.install & debian/gdbserver.install: - include manpages in binary packages - debian/rules: - skip tests on armhf, hanging on the buildds - configure with --disable-werror - disable configure with --disable-sim - clean gdb/doc/GDBvn.texi before build - show test summary after test run - disable man-page installation (moved to *.install files) * Add loongarch64-linux-gnu as a target for gdb-multiarch. * Explicitly build with hardening=-all,+format. -- Matthias Klose Sat, 10 Aug 2024 08:21:32 +0200 gdb (15.1-1) unstable; urgency=medium [ Guillem Jover ] * Remove references to obsolete m32r arch. (Closes: #1056763) [ Joel Stanley ] * Add or1k-linux-gnu as a target for gdb-multiarch [ Héctor Orón Martínez ] * New upstream version 15.1 * debian/patches: refresh * debian/control*: stop gdb-minimal from providing gdb (Closes: #1057780) * debian/control{,.in}: make gdb-source Multi-Arch foreign (Closes: #1043445) * debian/rules: avoid build failure due to with-mpfr requiring a path * debian/patches/gfdl-dont-build-manpages.patch: avoid building manpages [Ricardo Ribalda] * debian/patches/{fix-blhc-libiberty.patch, fix-blhc-chew.patch}: - Fix blhc test for chew and libiberty, false positives * debian/rules: Fix reprotest and export build variables [ Aurelien Jarno ] * Drop kfreebsd-* specific build-depends, the ports have been removed -- Héctor Orón Martínez Thu, 01 Aug 2024 07:27:27 +0200 gdb (15.1-0ubuntu1) oracular; urgency=medium * New upstream release. -- Matthias Klose Wed, 10 Jul 2024 12:36:00 +0200 libnetplan1:arm64, netplan-generator, netplan.io, python3-netplan (built from netplan.io) updated from 1.1.2-8ubuntu1~24.04.1 to 1.1.2-8ubuntu1~24.04.2: netplan.io (1.1.2-8ubuntu1~24.04.2) noble; urgency=medium * debian/patches/lp2139598-execute-udev-rules-before-sriov-apply-service.patch: execute udev rules before starting sriov apply service (LP: #2139598) -- Robert Malz Tue, 03 Mar 2026 12:37:33 +0100 libssl3t64:arm64, openssl (built from openssl) updated from 3.0.13-0ubuntu3.7 to 3.0.13-0ubuntu3.9: openssl (3.0.13-0ubuntu3.9) noble-security; urgency=medium * SECURITY UPDATE: NULL pointer dereference when processing an OCSP response - debian/patches/CVE-2026-28387.patch: dane_match_cert() should X509_free() on ->mcert instead of OPENSSL_free() in crypto/x509/x509_vfy.c. - CVE-2026-28387 * SECURITY UPDATE: NULL Pointer Dereference When Processing a Delta CRL - debian/patches/CVE-2026-28388-1.patch: fix NULL Dereference When Delta CRL Lacks CRL Number Extension in crypto/x509/x509_vfy.c. - debian/patches/CVE-2026-28388-2.patch: Added test in test/*. - CVE-2026-28388 * SECURITY UPDATE: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo - debian/patches/CVE-2026-28389.patch: Fix NULL deref in [ec]dh_cms_set_shared_info in crypto/cms/cms_dh.c, crypto/cms/cms_ec.c. - CVE-2026-28389 * SECURITY UPDATE: Possible NULL Dereference When Processing CMS KeyTransportRecipientInfo - debian/patches/CVE-2026-28390.patch: Fix NULL deref in rsa_cms_decrypt in crypto/cms/cms_rsa.c. - CVE-2026-28390 * SECURITY UPDATE: Heap buffer overflow in hexadecimal conversion - debian/patches/CVE-2026-31789.patch: avoid possible buffer overflow in buf2hex conversion in crypto/o_str.c. - CVE-2026-31789 * SECURITY UPDATE: Incorrect failure handling in RSA KEM RSASVE encapsulation - debian/patches/CVE-2026-31790-1.patch: validate RSA_public_encrypt() result in RSASVE in providers/implementations/kem/rsa_kem.c. - debian/patches/CVE-2026-31790-2.patch: test RSA_public_encrypt() result in RSASVE in test/evp_extra_test.c. - CVE-2026-31790 -- Marc Deslauriers Tue, 07 Apr 2026 08:05:56 -0400 python3-jwt (built from pyjwt) updated from 2.7.0-1 to 2.7.0-1ubuntu0.1: pyjwt (2.7.0-1ubuntu0.1) noble-security; urgency=medium * SECURITY UPDATE: Incorrect authorization of invalid JWS token. - debian/patches/CVE-2026-32597.patch: Add _supported_crit and checks for valid crit header in jwt/api_jws.py. Add tests in tests/test_api_jws.py and tests/test_api_jwt.py. - CVE-2026-32597 -- Hlib Korzhynskyy Thu, 26 Mar 2026 10:44:41 -0230 libpam-systemd:arm64, libsystemd-shared:arm64, libsystemd0:arm64, libudev1:arm64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.12 to 255.4-1ubuntu8.15: systemd (255.4-1ubuntu8.15) noble; urgency=medium [ Robert Malz ] * network: also check ID_NET_MANAGED_BY property on reconfigure (LP: #2133159) * net_id: depending on new udev prop, include/exclude PCI domain from netif names (LP: #2134334) [ Ioana Lazea ] * timer: don't run service immediately after restart of a timer (LP: #2141296) -- Robert Malz Tue, 24 Mar 2026 09:45:53 -0400 systemd (255.4-1ubuntu8.14) noble-security; urgency=medium * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves a leading slash in place - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina() - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently * SECURITY UPDATE: Local root execution via malicious hardware devices - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch - d/p/udev-fix-review-mixup.patch - No CVE number -- Nick Rosbrook Fri, 13 Mar 2026 12:48:42 -0400 tzdata (built from tzdata) updated from 2025b-0ubuntu0.24.04.1 to 2026a-0ubuntu0.24.04.1: tzdata (2026a-0ubuntu0.24.04.1) noble; urgency=medium * New upstream release (LP: #2143355): - No leap second on 2026-06-30 - Moldova has used EU transition times since 2022 * Add autopkgtest test case for 2025c and 2026a release * Update the ICU timezone data to 2026a * Add autopkgtest test case for ICU timezone data 2026a -- Nadzeya Hutsko Wed, 18 Mar 2026 16:32:22 +0100 17/03/2026, commit https://github.com/canonical/core-base/tree/37b6ca6eae54cbf2ce64fe2c836b59ee1438f27f [ Changes in the core24 snap ] No detected changes for the core24 snap [ Changes in primed packages ] cloud-init (built from cloud-init) updated from 25.2-0ubuntu1~24.04.1 to 25.3-0ubuntu1~24.04.1: cloud-init (25.3-0ubuntu1~24.04.1) noble; urgency=medium * d/p/retain-setuptools.patch: avoid upstream switch to meson build backend. * refresh patches: - d/p/no-nocloud-network.patch - d/p/no-single-process.patch - d/p/grub-dpkg-support.patch * Upstream snapshot based on 25.3. (LP: #2131604). List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/25.3/ChangeLog -- Chad Smith Sat, 15 Nov 2025 11:02:56 -0700 libexpat1:arm64 (built from expat) updated from 2.6.1-2ubuntu0.3 to 2.6.1-2ubuntu0.4: expat (2.6.1-2ubuntu0.4) noble-security; urgency=medium * SECURITY UPDATE: NULL pointer dereference - debian/patches/CVE-2026-24515.patch: updates XML_ExternalEntityParserCreate to copy unknown encoding handler user data in expat/lib/xmlparse.c. - CVE-2026-24515 * SECURITY UPDATE: integer overflow - debian/patches/CVE-2026-25210*.patch: adds an integer overflow check for tag buffer reallocation in the doContent function of expat/lib/xmlparse.c. - CVE-2026-25210 -- Ian Constantin Wed, 04 Feb 2026 17:24:08 +0200 libfreetype6:arm64 (built from freetype) updated from 2.13.2+dfsg-1build3 to 2.13.2+dfsg-1ubuntu0.1: freetype (2.13.2+dfsg-1ubuntu0.1) noble-security; urgency=medium * SECURITY UPDATE: Integer Overflow - debian/patches/CVE-2026-23865.patch: Check for overflow in array size computation - CVE-2026-23865 -- Bruce Cable Tue, 10 Mar 2026 17:40:24 +1100 gcc-14-base:arm64, gcc-14-base:armhf, libgcc-s1:arm64, libgcc-s1:armhf, libstdc++6:arm64 (built from gcc-14) updated from 14.2.0-4ubuntu2~24.04 to 14.2.0-4ubuntu2~24.04.1: gcc-14 (14.2.0-4ubuntu2~24.04.1) noble; urgency=medium * d/p/pr118976.diff: Fix memory corruption when executing 256-bit Scalable Vector Extensions code on 128-bit CPUs (LP: #2101084). -- Vladimir Petko Fri, 19 Dec 2025 10:36:50 +1300 gnutls-bin, libgnutls-dane0t64:arm64, libgnutls30t64:arm64 (built from gnutls28) updated from 3.8.3-1.1ubuntu3.4 to 3.8.3-1.1ubuntu3.5: gnutls28 (3.8.3-1.1ubuntu3.5) noble-security; urgency=medium * SECURITY UPDATE: DoS via malicious certificates - debian/patches/CVE-2025-14831-*.patch: rework processing algorithms to exhibit better performance characteristics in lib/x509/name_constraints.c, tests/name-constraints-ip.c. - CVE-2025-14831 * SECURITY UPDATE: stack overflow via long token label - debian/patches/CVE-2025-9820.patch: avoid stack overwrite when initializing a token in lib/pkcs11_write.c, tests/Makefile.am, tests/pkcs11/long-label.c. - CVE-2025-9820 -- Marc Deslauriers Tue, 10 Feb 2026 11:09:12 -0500 libpng16-16t64:arm64 (built from libpng1.6) updated from 1.6.43-5ubuntu0.4 to 1.6.43-5ubuntu0.5: libpng1.6 (1.6.43-5ubuntu0.5) noble-security; urgency=medium * SECURITY UPDATE: OOB read in png_set_quantize() - debian/patches/CVE-2026-25646.patch: fix a heap buffer overflow in pngrtran.c. - CVE-2026-25646 -- Marc Deslauriers Wed, 11 Feb 2026 09:27:12 -0500 opensc, opensc-pkcs11:arm64 (built from opensc) updated from 0.25.0~rc1-1ubuntu0.1~esm1 to 0.25.0~rc1-1ubuntu0.2+esm1: opensc (0.25.0~rc1-1ubuntu0.2+esm1) noble-security; urgency=medium * SECURITY UPDATE: Missing variable initialization - debian/patches/CVE-2024-45615-1.patch: Fix uninitialized values - debian/patches/CVE-2024-45615-2.patch: Initialize variables for tag and CLA - debian/patches/CVE-2024-45615-3.patch: Initialize OID length - debian/patches/CVE-2024-45615-4.patch: Initialize variables for tag and CLA - debian/patches/CVE-2024-45615-5.patch: Avoid using uninitialized memory - debian/patches/CVE-2024-45617-1.patch: Check return value when selecting AID - debian/patches/CVE-2024-45617-2.patch: Return error when response length is 0 - debian/patches/CVE-2024-45617-3.patch: Check number of read bytes - debian/patches/CVE-2024-45618-1.patch: Check return value of serial num conversion - debian/patches/CVE-2024-45618-2.patch: Report transport key error - CVE-2024-45615 - CVE-2024-45617 - CVE-2024-45618 * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2024-45616-1.patch: Fix uninitialized values - debian/patches/CVE-2024-45616-2.patch: Check length of APDU response - debian/patches/CVE-2024-45616-3.patch: Correctly calculate certificate length based on the resplen - debian/patches/CVE-2024-45616-4.patch: Check length of serial number - debian/patches/CVE-2024-45616-5.patch: Use actual length of reponse buffer - debian/patches/CVE-2024-45616-6.patch: Check length of response buffer in select - debian/patches/CVE-2024-45616-7.patch: Check APDU response length and ASN1 lengths - debian/patches/CVE-2024-45616-8.patch: Report invalid SW when reading object - debian/patches/CVE-2024-45616-9.patch: Avoid using uninitialized memory - debian/patches/CVE-2024-45616-10.patch: Check length of serial number - debian/patches/CVE-2024-45619-1.patch: Check number of read bytes for cert - debian/patches/CVE-2024-45619-2.patch: Check certificate length before accessing - debian/patches/CVE-2024-45619-3.patch: Check length of buffer for object - debian/patches/CVE-2024-45619-4.patch: Check length of generated key - debian/patches/CVE-2024-45619-5.patch: Properly check length of file list - debian/patches/CVE-2024-45619-6.patch: Check length of buffer before conversion - debian/patches/CVE-2024-45620-1.patch: Check length of file to be non-zero - debian/patches/CVE-2024-45620-2.patch: Check length of data before dereferencing - debian/patches/CVE-2024-45620-3.patch: Check length of data when parsing - debian/patches/CVE-2024-8443-1.patch: Avoid buffer overflow when writing fingerprint - debian/patches/CVE-2024-8443-2.patch: Do not accept non-matching key -- Eduardo Barretto Wed, 25 Feb 2026 14:46:47 +0100 opensc (0.25.0~rc1-1ubuntu0.2) noble-security; urgency=medium * No-change rebuild to security -- Eduardo Barretto Mon, 16 Feb 2026 17:57:28 +0100 opensc (0.25.0~rc1-1ubuntu0.1) noble; urgency=medium * Load FIPS provider by default when system is in FIPS mode d/p/lp2127205-Load-FIPS-provider-by-default-when-system-is-in-FIPS.patch (LP: #2127205) -- Dariusz Gadomski Mon, 26 Jan 2026 17:19:21 +0100 openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.14 to 1:9.6p1-3ubuntu13.15: openssh (1:9.6p1-3ubuntu13.15) noble-security; urgency=medium * SECURITY UPDATE: GSSAPI Key Exchange issue - debian/patches/gssapi.patch: replace incorrect use of sshpkt_disconnect() with ssh_packet_disconnect() and properly initialize some vars. - CVE-2026-3497 * SECURITY UPDATE: Untrusted control characters in usernames - debian/patches/CVE-2025-61984.patch: refuse usernames that include control characters in ssh.c. - CVE-2025-61984 * SECURITY UPDATE: Code execution in ProxyCommand via NULL character - debian/patches/CVE-2025-61985.patch: don't allow \0 characters in url-encoded strings in misc.c. - CVE-2025-61985 -- Marc Deslauriers Wed, 04 Mar 2026 12:55:04 -0500 python3-cryptography (built from python-cryptography) updated from 41.0.7-4ubuntu0.1 to 41.0.7-4ubuntu0.4: python-cryptography (41.0.7-4ubuntu0.4) noble-security; urgency=medium * SECURITY REGRESSION: ecc support regression (LP: #2144373) - debian/patches/CVE-2026-26007.patch: updated to remove problematic deprecation warning code which is causing a regression with ansible. -- Marc Deslauriers Sat, 14 Mar 2026 08:18:05 -0400 python-cryptography (41.0.7-4ubuntu0.3) noble-security; urgency=medium * SECURITY UPDATE: Subgroup Attack Due to Missing Subgroup Validation for SECT Curves - debian/patches/CVE-2026-26007.patch: EC check key on cofactor > 1 in src/cryptography/hazmat/primitives/asymmetric/ec.py, src/cryptography/utils.py, tests/hazmat/primitives/test_ec.py, src/_cffi_src/openssl/ec.py, src/cryptography/hazmat/backends/openssl/ec.py. - CVE-2026-26007 -- Marc Deslauriers Fri, 20 Feb 2026 09:45:35 -0500 libpython3.12-minimal:arm64, libpython3.12-stdlib:arm64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.11 to 3.12.3-1ubuntu0.12: python3.12 (3.12.3-1ubuntu0.12) noble-security; urgency=medium * SECURITY REGRESSION: Revert patch for CVE-2025-15366 - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC 9051 IMAP conformance and introduces behavior regressions avoided by upstream. - CVE-2025-15366 * SECURITY REGRESSION: Revert patch for CVE-2025-15367 - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior regressions, aligning with upstream backporting decisions. - CVE-2025-15367 * SECURITY REGRESSION: Allow HTAB in wsgiref header values - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values (excluding names) in Lib/wsgiref/headers.py, add test coverage. - CVE-2026-0865 -- Vyom Yadav Tue, 03 Mar 2026 17:45:18 +0530 sudo (built from sudo) updated from 1.9.15p5-3ubuntu5.24.04.1 to 1.9.15p5-3ubuntu5.24.04.2: sudo (1.9.15p5-3ubuntu5.24.04.2) noble-security; urgency=medium * SECURITY UPDATE: exec_mailer gid issue (LP: #2143042) - debian/patches/lp2143042.patch: set group as well as uid when running the mailer and make a setuid(), setgid() or setgroups() failure fatal in include/sudo_eventlog.h, lib/eventlog/eventlog.c, lib/eventlog/eventlog_conf.c, plugins/sudoers/logging.c, plugins/sudoers/policy.c. - No CVE number -- Marc Deslauriers Mon, 02 Mar 2026 07:56:19 -0500 bsdutils, fdisk, libblkid1:arm64, libfdisk1:arm64, libmount1:arm64, libsmartcols1:arm64, libuuid1:arm64, mount, rfkill, util-linux (built from util-linux) updated from 1:2.39.3-9ubuntu6.4 to 1:2.39.3-9ubuntu6.5: vim-common, vim-tiny (built from vim) updated from 2:9.1.0016-1ubuntu7.9 to 2:9.1.0016-1ubuntu7.10: vim (2:9.1.0016-1ubuntu7.10) noble-security; urgency=medium * SECURITY UPDATE: Buffer Overflow - debian/patches/CVE-2026-26269.patch: Limit writing to max KEYBUFLEN bytes to prevent writing out of bounds. - debian/patches/CVE-2026-28420.patch: Use VTERM_MAX_CHARS_PER_CELL * 4 for ga_grow() to ensure sufficient space. Add a boundary check to the character loop to prevent index out-of-bounds access. - debian/patches/CVE-2026-28422.patch: Update the size check to account for the byte length of the fill character (using MB_CHAR2LEN). - debian/patches/CVE-2026-25749.patch: Limit strncpy to the length of the buffer (MAXPATHL) - CVE-2026-26269 - CVE-2026-28420 - CVE-2026-28422 - CVE-2026-25749 * SECURITY UPDATE: Command Injection - debian/patches/CVE-2026-28417.patch: Implement stricter RFC1123 hostname and IP validation. Use shellescape() for the provided hostname and port. - CVE-2026-28417 * SECURITY UPDATE: Out of Bounds Read - debian/patches/CVE-2026-28418.patch: Check for end of buffer and return early. - CVE-2026-28418 * SECURITY UPDATE: Buffer Underflow - debian/patches/CVE-2026-28419.patch: Add a check to ensure the delimiter (p_7f) is not at the start of the buffer (lbuf) before attempting to isolate the tag name. - CVE-2026-28419 * SECURITY UPDATE: Denial of Service - debian/patches/CVE-2026-28421.patch: Add bounds checks on pe_page_count and pe_bnum against mf_blocknr_max before descending into the block tree, and validate pe_old_lnum >= 1 and pe_line_count > 0 before calling readfile(). - CVE-2026-28421 -- Bruce Cable Tue, 10 Mar 2026 20:13:01 +1100 wpasupplicant (built from wpa) updated from 2:2.10-21ubuntu0.3 to 2:2.10-21ubuntu0.4: wpa (2:2.10-21ubuntu0.4) noble; urgency=medium * Add SaePasswordMismatch signal handling (LP: #2125203) -- Mitchell Augustin Wed, 04 Feb 2026 17:33:00 -0600 11/02/2026, commit https://github.com/canonical/core-base/tree/37b6ca6eae54cbf2ce64fe2c836b59ee1438f27f [ Changes in the core24 snap ] Alfonso Sánchez-Beato (1): hooks: add script to remove unneeded apparmor profiles [ Changes in primed packages ] base-files (built from base-files) updated from 13ubuntu10.3 to 13ubuntu10.4: base-files (13ubuntu10.4) noble; urgency=medium * /etc/issue{,.net}, /etc/{lsb,os}-release: bump version to 24.04.4 (LP: #2140756) -- Florent 'Skia' Jacquet Fri, 06 Feb 2026 08:23:01 +0100 libglib2.0-0t64:arm64 (built from glib2.0) updated from 2.80.0-6ubuntu3.6 to 2.80.0-6ubuntu3.8: glib2.0 (2.80.0-6ubuntu3.8) noble-security; urgency=medium * SECURITY UPDATE: integer overflow in Base64 encoding - debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential overflow in glib/gbase64.c. - debian/patches/CVE-2026-1484-2.patch: ensure that the out value is within allocated size in glib/gbase64.c. - CVE-2026-1484 * SECURITY UPDATE: buffer underflow via header length - debian/patches/CVE-2026-1485.patch: do not overflow if header is longer than MAXINT in gio/gcontenttype.c. - CVE-2026-1485 * SECURITY UPDATE: integer overflow via Unicode case conversion - debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks length in glib/guniprop.c. - debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint in glib/guniprop.c. - debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size in glib/guniprop.c. - debian/patches/CVE-2026-1489-4.patch: add test debug information when parsing input files in glib/tests/unicode.c. - CVE-2026-1489 -- Marc Deslauriers Wed, 28 Jan 2026 12:53:07 -0500 glib2.0 (2.80.0-6ubuntu3.7) noble-security; urgency=medium * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek() - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow in peek() in gio/gbufferedinputstream.c, gio/tests/buffered-input-stream.c. - CVE-2026-0988 -- Marc Deslauriers Tue, 20 Jan 2026 08:08:27 -0500 libc-bin, libc6:arm64, libc6:armhf (built from glibc) updated from 2.39-0ubuntu8.6 to 2.39-0ubuntu8.7: glibc (2.39-0ubuntu8.7) noble-security; urgency=medium * SECURITY UPDATE: use-after-free in wordexp_t fields - debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields with WRDE_REUSE - CVE-2025-15281 * SECURITY UPDATE: integer overflow in memalign - debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment overflow check - CVE-2026-0861 * SECURITY UPDATE: memory leak in NSS DNS - debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for getnetbyaddr - CVE-2026-0915 -- Nishit Majithia Fri, 30 Jan 2026 13:57:54 +0530 gpgv (built from gnupg2) updated from 2.4.4-2ubuntu17.3 to 2.4.4-2ubuntu17.4: gnupg2 (2.4.4-2ubuntu17.4) noble-security; urgency=medium * SECURITY UPDATE: Remote Code Execution - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory corruption in the armor parser. - CVE-2025-68973 -- Allen Huang Mon, 05 Jan 2026 22:01:39 +0000 libdrm-common, libdrm2:arm64 (built from libdrm) updated from 2.4.122-1~ubuntu0.24.04.2 to 2.4.125-1ubuntu0.1~24.04.1: libdrm (2.4.125-1ubuntu0.1~24.04.1) noble; urgency=medium * Backport to noble. (LP: #2126037) - amdgpu-add-env-support-for-amdgpu-ids.patch dropped as it has changed on the upstream merge request and hasn't landed yet -- Timo Aaltonen Fri, 07 Nov 2025 14:50:51 +0200 libdrm (2.4.125-1ubuntu0.1) questing; urgency=medium * patches: Identify APUs from hardware (LP: #2127944) -- Timo Aaltonen Fri, 24 Oct 2025 17:43:46 +0300 libdrm (2.4.125-1) experimental; urgency=medium [ Jianfeng Liu ] * Enable build libdrm-intel1 for loong64. (Closes: #1107223) [ Timo Aaltonen ] * New upstream release. * patches: Drop the upstreamed fix for xf86drm. * symbols: Updated. -- Timo Aaltonen Wed, 25 Jun 2025 10:46:34 +0300 libdrm (2.4.124-2) unstable; urgency=medium [ Daniel van Vugt ] * Add xf86drm-Handle-NULL-in-drmCopyVersion.patch (LP: #2104352) [ Bo YU ] * Enable building libdrm-intel1 for riscv64 (Closes: #1085314) -- Timo Aaltonen Tue, 01 Apr 2025 11:08:19 +0300 libdrm (2.4.124-1) unstable; urgency=medium * New upstream release. * amdgpu-add-env-support-for-amdgpu-ids.patch: Add a patch to allow using an env variable for amdgpu.ids path. (LP: #2100483) -- Timo Aaltonen Thu, 27 Feb 2025 14:57:25 +0200 libdrm (2.4.123-1) unstable; urgency=medium * New upstream release. * Add upstream metadata, drop old git url from d/watch. * Update signing-key.asc. -- Timo Aaltonen Tue, 10 Sep 2024 11:03:50 +0300 libdrm (2.4.122-1) unstable; urgency=medium * New upstream release. (Closes: #1059854) * control: Migrate to pkgconf. -- Timo Aaltonen Thu, 01 Aug 2024 13:52:56 +0300 libpng16-16t64:arm64 (built from libpng1.6) updated from 1.6.43-5ubuntu0.1 to 1.6.43-5ubuntu0.4: libpng1.6 (1.6.43-5ubuntu0.4) noble-security; urgency=medium * SECURITY UPDATE: DoS via buffer overflow caused by memory leaks - debian/patches/CVE-2025-2816x.patch: clean up on user/internal errors in contrib/libtests/pngimage.c, pngerror.c. - CVE-2025-28162 - CVE-2025-28164 -- Marc Deslauriers Thu, 29 Jan 2026 11:18:41 -0500 libpng1.6 (1.6.43-5ubuntu0.3) noble-security; urgency=medium * SECURITY UPDATE: OOB in png_image_read_composite - debian/patches/CVE-2025-66293-1.patch: validate component size in pngread.c. - debian/patches/CVE-2025-66293-2.patch: improve fix in pngread.c. - CVE-2025-66293 * SECURITY UPDATE: Heap buffer over-read in png_image_read_direct_scaled - debian/patches/CVE-2026-22695.patch: fix memcpy size in pngread.c. - CVE-2026-22695 * SECURITY UPDATE: Integer truncation causing heap buffer over-read - debian/patches/CVE-2026-22801.patch: remove incorrect truncation casts in CMakeLists.txt, contrib/libtests/pngstest.c, pngwrite.c, tests/pngstest-large-stride. - CVE-2026-22801 -- Marc Deslauriers Mon, 12 Jan 2026 13:14:03 -0500 libtasn1-6:arm64 (built from libtasn1-6) updated from 4.19.0-3ubuntu0.24.04.1 to 4.19.0-3ubuntu0.24.04.2: libtasn1-6 (4.19.0-3ubuntu0.24.04.2) noble-security; urgency=medium * SECURITY UPDATE: Stack-based buffer overflow - debian/patches/CVE-2025-13151.patch: fix asn1_expand_octet_string buffer size in lib/decoding.c. - CVE-2025-13151 -- Marc Deslauriers Thu, 08 Jan 2026 12:24:41 -0500 libssl3t64:arm64, openssl (built from openssl) updated from 3.0.13-0ubuntu3.6 to 3.0.13-0ubuntu3.7: openssl (3.0.13-0ubuntu3.7) noble-security; urgency=medium * SECURITY UPDATE: Stack buffer overflow in CMS AuthEnvelopedData parsing - debian/patches/CVE-2025-15467-1.patch: correct handling of AEAD-encrypted CMS with inadmissibly long IV in crypto/evp/evp_lib.c. - debian/patches/CVE-2025-15467-2.patch: some comments to clarify functions usage in crypto/asn1/evp_asn1.c. - debian/patches/CVE-2025-15467-3.patch: test for handling of AEAD-encrypted CMS with inadmissibly long IV in test/cmsapitest.c, test/recipes/80-test_cmsapi.t, test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem. - CVE-2025-15467 * SECURITY UPDATE: Heap out-of-bounds write in BIO_f_linebuffer on short writes - debian/patches/CVE-2025-68160.patch: fix heap buffer overflow in BIO_f_linebuffer in crypto/bio/bf_lbuf.c. - CVE-2025-68160 * SECURITY UPDATE: Unauthenticated/unencrypted trailing bytes with low-level OCB function calls - debian/patches/CVE-2025-69418.patch: fix OCB AES-NI/HW stream path unauthenticated/unencrypted trailing bytes in crypto/modes/ocb128.c. - CVE-2025-69418 * SECURITY UPDATE: Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion - debian/patches/CVE-2025-69419.patch: check return code of UTF8_putc in crypto/asn1/a_strex.c, crypto/pkcs12/p12_utl.c. - CVE-2025-69419 * SECURITY UPDATE: Missing ASN1_TYPE validation in TS_RESP_verify_response() function - debian/patches/CVE-2025-69420.patch: verify ASN1 object's types before attempting to access them as a particular type in crypto/ts/ts_rsp_verify.c. - CVE-2025-69420 * SECURITY UPDATE: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex - debian/patches/CVE-2025-69421.patch: add NULL check in crypto/pkcs12/p12_decr.c. - CVE-2025-69421 * SECURITY UPDATE: ASN1_TYPE missing validation and type confusion - debian/patches/CVE-2026-2279x.patch: ensure ASN1 types are checked before use in apps/s_client.c, crypto/pkcs12/p12_kiss.c, crypto/pkcs7/pk7_doit.c. - CVE-2026-22795 - CVE-2026-22796 -- Marc Deslauriers Mon, 26 Jan 2026 07:31:31 -0500 python3-urllib3 (built from python-urllib3) updated from 2.0.7-1ubuntu0.3 to 2.0.7-1ubuntu0.6: python-urllib3 (2.0.7-1ubuntu0.6) noble-security; urgency=medium * SECURITY REGRESSION: Zstandard missing attribute after CVE-2025-66471 fix. (LP: #2136906) - debian/patches/CVE-2025-66471-fix2.patch: Fall back if "needs_input" is not a zstd object attribute in src/urllib3/response.py. -- Hlib Korzhynskyy Tue, 13 Jan 2026 09:34:51 -0330 python-urllib3 (2.0.7-1ubuntu0.5) noble-security; urgency=medium * SECURITY REGRESSION: Zstd issues after CVE-2025-66471 fix. (LP: #2136906) - debian/patches/CVE-2025-66471-fix1.patch: Revert zstd fix due to not being compatible with zstandard. -- Hlib Korzhynskyy Mon, 12 Jan 2026 17:27:22 -0330 python-urllib3 (2.0.7-1ubuntu0.4) noble-security; urgency=medium * SECURITY UPDATE: Decompression bomb in HTTP redirect responses. - debian/patches/CVE-2026-21441.patch: Add decode_content to self.read() in src/urllib3/response.py. Add tests in test/with_dummyserver/test_connectionpool.py and dummyserver/app.py. - CVE-2026-21441 -- Hlib Korzhynskyy Thu, 08 Jan 2026 15:36:38 -0330 libpython3.12-minimal:arm64, libpython3.12-stdlib:arm64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.9 to 3.12.3-1ubuntu0.11: python3.12 (3.12.3-1ubuntu0.11) noble-security; urgency=medium * SECURITY UPDATE: Header injection in email messages where addresses are not sanitized. - debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash in Lib/email/_header_value_parser.py. Add test in Lib/test/test_email/test__header_value_parser.py. - CVE-2025-11468 * SECURITY UPDATE: Quadratic algorithm when building excessively nested XML documents. - debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py. - CVE-2025-12084 * SECURITY UPDATE: OOM and denial of service when opening malicious plist file. - debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py. - CVE-2025-13837 * SECURITY UPDATE: Header injection in user controlled data URLs in urllib. - debian/patches/CVE-2025-15282.patch: Add control character checks in Lib/urllib/request.py. Add test in Lib/test/test_urllib.py. * SECURITY UPDATE: Command injection through user controlled commands in imaplib. - debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in Lib/imaplib.py. Add test in Lib/test/test_imaplib.py. * SECURITY UPDATE: Command injection through user controlled commands in poplib. - debian/patches/CVE-2025-15367.patch: Add control character regex check in Lib/poplib.py. Add test in Lib/test/test_poplib.py. - CVE-2025-15367 * SECURITY UPDATE: HTTP header injection in user controlled cookie values. - debian/patches/CVE-2026-0672.patch: Add _control_characters_re and checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py. - CVE-2026-0672 * SECURITY UPDATE: HTTP header injection in user controlled headers and values with newlines. - debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and Lib/test/test_wsgiref.py. - CVE-2026-0865 -- Hlib Korzhynskyy Thu, 22 Jan 2026 17:27:42 -0330 python3.12 (3.12.3-1ubuntu0.10) noble-security; urgency=medium * SECURITY UPDATE: HTTP Content-Length denial of service - debian/patches/CVE-2025-13836.patch: Read large data in chunks with geometric reads in Lib/http/client.py and add tests in Lib/test/test_httplib.py - CVE-2025-13836 -- Vyom Yadav Thu, 08 Jan 2026 17:00:50 +0530 07/01/2026, commit https://github.com/canonical/core-base/tree/877c452311fe667019aaa475aae73b3e283b8f7b [ Changes in the core24 snap ] No detected changes for the core24 snap [ Changes in primed packages ] dhcpcd-base (built from dhcpcd) updated from 1:10.0.6-1ubuntu3.1 to 1:10.0.6-1ubuntu3.2: dhcpcd (1:10.0.6-1ubuntu3.2) noble; urgency=medium * Fix intermittent dumplease failures when parsing stdin (LP: #2131252) - d/p/lp2131252-0-Force-dumplease-to-parse-stdin.patch - d/p/lp2131252-1-Improve-and-document-prior.patch -- Bryan Fraschetti Thu, 13 Nov 2025 12:47:30 -0500 libglib2.0-0t64:arm64 (built from glib2.0) updated from 2.80.0-6ubuntu3.5 to 2.80.0-6ubuntu3.6: glib2.0 (2.80.0-6ubuntu3.6) noble-security; urgency=medium * SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp - debian/patches/CVE-2025-3360-1.patch: fix integer overflow when parsing very long ISO8601 inputs in glib/gdatetime.c. - debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow in timezone offset handling in glib/gdatetime.c. - debian/patches/CVE-2025-3360-3.patch: track timezone length as an unsigned size_t in glib/gdatetime.c. - debian/patches/CVE-2025-3360-4.patch: factor out some string pointer arithmetic in glib/gdatetime.c. - debian/patches/CVE-2025-3360-5.patch: factor out an undersized variable in glib/gdatetime.c. - debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime ISO8601 parsing tests in glib/tests/gdatetime.c. - CVE-2025-3360 * SECURITY UPDATE: GString overflow - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding the string in glib/gstring.c. - CVE-2025-6052 * SECURITY UPDATE: integer overflow in temp file creation - debian/patches/CVE-2025-7039.patch: fix computation of temporary file name in glib/gfileutils.c. - CVE-2025-7039 * SECURITY UPDATE: heap overflow in g_escape_uri_string() - debian/patches/CVE-2025-13601.patch: add overflow check in glib/gconvert.c. - CVE-2025-13601 * SECURITY UPDATE: buffer underflow through glib/gvariant - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow parsing (byte)strings in glib/gvariant-parser.c. - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of child elements in glib/gvariant-parser.c. - debian/patches/CVE-2025-14087-3.patch: convert error handling code to use size_t in glib/gvariant-parser.c. - CVE-2025-14087 * SECURITY UPDATE: integer overflow in gfileattribute - debian/patches/gfileattribute-overflow.patch: add overflow check in gio/gfileattribute.c. - No CVE number -- Marc Deslauriers Wed, 10 Dec 2025 10:51:22 -0500 libpng16-16t64:arm64 (built from libpng1.6) updated from 1.6.43-5build1 to 1.6.43-5ubuntu0.1: libpng1.6 (1.6.43-5ubuntu0.1) noble-security; urgency=medium * SECURITY UPDATE: buffer overflow issue - debian/patches/CVE-2025-64505.patch: Fix a buffer overflow in png_do_quantize - debian/patches/CVE-2025-64506.patch: Fix a heap buffer overflow in png_write_image_8bit - debian/patches/CVE-2025-64720.patch: Fix a buffer overflow in png_init_read_transformations - debian/patches/CVE-2025-65018.patch: Fix a heap buffer overflow in png_image_finish_read - CVE-2025-64505 - CVE-2025-64506 - CVE-2025-64720 - CVE-2025-65018 -- Nishit Majithia Tue, 09 Dec 2025 17:36:48 +0530 python3-urllib3 (built from python-urllib3) updated from 2.0.7-1ubuntu0.2 to 2.0.7-1ubuntu0.3: python-urllib3 (2.0.7-1ubuntu0.3) noble-security; urgency=medium * SECURITY UPDATE: Denial of service due to unbounded decompression chain. - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and checks in src/urllib3/response.py. Add test in test/test_response.py. - CVE-2025-66418 * SECURITY UPDATE: Denial of service due to decompression bomb. - debian/patches/CVE-2025-66471.patch: Fix decompression bomb in src/urllib3/response.py. Add tests in test/test_response.py. - debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning due to intrusive backport for brotli fixes and upstream version warning not being appropriate for distro backporting. - CVE-2025-66471 -- Hlib Korzhynskyy Wed, 10 Dec 2025 15:56:11 -0330 libpam-systemd:arm64, libsystemd-shared:arm64, libsystemd0:arm64, libudev1:arm64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.11 to 255.4-1ubuntu8.12: systemd (255.4-1ubuntu8.12) noble; urgency=medium * basic: validate timezones in get_timezones() (LP: #2125405) * ukify: fix insertion of padding in merged sections (LP: #2132666) * core: downgrade a log message from warning to debug (LP: #2130554) * test: skip testcase_multipath_basic_failover. This test has been failing on Ubuntu infrastructure for a long time. Leaving this alone at the moment allows other failures to potentially go unnoticed, because the migration reference baseline has been reset to fail. Skip the test to try and reset the baseline to pass. * d/gbp.conf: stop using wrap_cl.py -- Nick Rosbrook Tue, 25 Nov 2025 13:16:31 -0500 bsdutils, fdisk, libblkid1:arm64, libfdisk1:arm64, libmount1:arm64, libsmartcols1:arm64, libuuid1:arm64, mount, rfkill, util-linux (built from util-linux) updated from 1:2.39.3-9ubuntu6.3 to 1:2.39.3-9ubuntu6.4: 10/12/2025, commit https://github.com/canonical/core-base/tree/877c452311fe667019aaa475aae73b3e283b8f7b [ Changes in the core24 snap ] Alfonso Sánchez-Beato (1): static: do not scan loop and mmc boot partitions Philip Meulengracht (3): tmpfiles.d: ignore snaps private tmp folder when cleaning /tmp hooks: switch to ubuntu-advantage (#382) static: add snapd.conf from the snapd debian, remove the other one (#384) [ Changes in primed packages ] apparmor, libapparmor1:arm64 (built from apparmor) updated from 4.0.1really4.0.1-0ubuntu0.24.04.4 to 4.0.1really4.0.1-0ubuntu0.24.04.5: apparmor (4.0.1really4.0.1-0ubuntu0.24.04.5) noble; urgency=medium * profiles: make /sys/devices PCI paths hex-aware (LP: #2115234) -- Keifer Snedeker Fri, 15 Aug 2025 13:16:02 +0100 libglib2.0-0t64:arm64 (built from glib2.0) updated from 2.80.0-6ubuntu3.4 to 2.80.0-6ubuntu3.5: glib2.0 (2.80.0-6ubuntu3.5) noble; urgency=medium * debian: Update VCS references to ubuntu/noble branch * debian/patches: Fix a crash on arg0 matching. This is causing a crash in tracker if the battery charging state changes while tracker is indexing files, as tracker-extract-3 will try to emit property changes with a NULL arg0. (LP: #2119581) -- Marco Trevisan (Treviño) Tue, 04 Nov 2025 16:05:02 +0100 libdrm-common, libdrm2:arm64 (built from libdrm) updated from 2.4.122-1~ubuntu0.24.04.1 to 2.4.122-1~ubuntu0.24.04.2: libdrm (2.4.122-1~ubuntu0.24.04.2) noble; urgency=medium * patches: Identify APUs from hardware (LP: #2127944) -- Timo Aaltonen Fri, 24 Oct 2025 17:48:33 +0300 libnetplan1:arm64, netplan-generator, netplan.io, python3-netplan (built from netplan.io) updated from 1.1.2-2~ubuntu24.04.2 to 1.1.2-8ubuntu1~24.04.1: netplan.io (1.1.2-8ubuntu1~24.04.1) noble; urgency=medium * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195) - Allows non standard OVS setups (e.g. OVS from snap) - Test improvements, especially for slower architectures such as riscv64 - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and suggests systemd-resolved * SRU compatibility - d/gbp.conf: Update for Noble - d/libnetplan1.symbols: keep it at the original version - d/p/series: Keep d/p/sru-compat/* patches - d/p/series: Drop wait-online-dns* which is incompatible with systemd v255 + d/control: Keep systemd dependency at v248 -- Lukas Märdian Tue, 25 Nov 2025 12:45:14 +0100 libpython3-stdlib:arm64, python3, python3-minimal (built from python3-defaults) updated from 3.12.3-0ubuntu2 to 3.12.3-0ubuntu2.1: python3-defaults (3.12.3-0ubuntu2.1) noble-security; urgency=medium * No-change rebuild into -security to fix dep issues (LP: #2127093) -- Marc Deslauriers Wed, 12 Nov 2025 07:15:44 -0500 libpython3.12-minimal:arm64, libpython3.12-stdlib:arm64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.8 to 3.12.3-1ubuntu0.9: python3.12 (3.12.3-1ubuntu0.9) noble-security; urgency=medium * SECURITY UPDATE: Possible payload obfuscation - debian/patches/CVE-2025-8291.patch: check consistency of the zip64 end of central dir record in Lib/zipfile.py, Lib/test/test_zipfile.py. - CVE-2025-8291 * SECURITY UPDATE: Performance degradation - debian/patches/CVE-2025-6075.patch: fix quadratic complexity in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py, Lib/test/test_genericpatch.py, Lib/test/test_npath.py. - CVE-2025-6075 -- Leonidas Da Silva Barbosa Thu, 06 Nov 2025 10:44:16 -0300 26/10/2025, commit https://github.com/canonical/core-base/tree/230d59e9c36891b95fbb3a47a8b25563e0b9ae17 [ Changes in the core24 snap ] Alfonso Sánchez-Beato (1): hooks: update nvidia driver version [ Changes in primed packages ] distro-info-data (built from distro-info-data) updated from 0.60ubuntu0.3 to 0.60ubuntu0.5: distro-info-data (0.60ubuntu0.5) noble; urgency=medium * ubuntu.csv: remove eol-legacy field from resolute This version of distro-info does not know about eol-legacy. -- Nick Rosbrook Fri, 10 Oct 2025 12:02:16 -0400 distro-info-data (0.60ubuntu0.4) noble; urgency=medium * Add Ubuntu 26.04 LTS "Resolute Raccoon" (LP: #2126961) * Correct date for forky * Correct estimation for trixie ELTS EoL to 10 years total support. * Update the bookworm EoL -- Florent 'Skia' Jacquet Fri, 10 Oct 2025 11:31:14 +0100 09/10/2025, commit https://github.com/canonical/core-base/tree/3667c3306e20cafd7ee36075b3fb317f05fbec00 [ Changes in the core24 snap ] No detected changes for the core24 snap [ Changes in primed packages ] libpam-systemd:arm64, libsystemd-shared:arm64, libsystemd0:arm64, libudev1:arm64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.10 to 255.4-1ubuntu8.11: systemd (255.4-1ubuntu8.11) noble; urgency=medium [ Nick Rosbrook ] * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237) * d/t/tests-in-lxd: drop patching workaround (LP: #2115263) - d/t/control: add Depends: dnsmasq-base (Revealed by test progressing past previous failure) * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104) Backport the logic from plucky onward, but adjust the version string for noble. * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549, only targeting TEST-75-RESOLVED. [ Matthew Ruffell ] * pcrlock: handle measurement logs where hash algs in header. Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs (LP: #2115391) [ Chengen Du ] * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist (LP: #2115418) [ Mario Limonciello ] * Drop support for using actual brightness (LP: #2110585) -- Nick Rosbrook Fri, 11 Jul 2025 14:52:59 -0400 wpasupplicant (built from wpa) updated from 2:2.10-21ubuntu0.2 to 2:2.10-21ubuntu0.3: wpa (2:2.10-21ubuntu0.3) noble; urgency=medium * Bump DEFAULT_BSS_MAX_COUNT to 1000 (LP: #2117180) -- Mitchell Augustin Mon, 21 Jul 2025 18:13:31 -0500 01/10/2025, commit https://github.com/canonical/core-base/tree/3667c3306e20cafd7ee36075b3fb317f05fbec00 [ Changes in the core24 snap ] No detected changes for the core24 snap [ Changes in primed packages ] cloud-init (built from cloud-init) updated from 25.1.4-0ubuntu0~24.04.1 to 25.2-0ubuntu1~24.04.1: cloud-init (25.2-0ubuntu1~24.04.1) noble; urgency=medium * add d/p/strip-invalid-mtu.patch - Provides backwards compatibility for an otherwise invalid MTU in a netplan config. (GH-6239) * d/cloud-init.templates: - Move VMware before OVF. See GH-4030 - Enable CloudCIX by default * refresh patches: - d/p/no-single-process.patch * Upstream snapshot based on 25.2. (LP: #2120495). List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/25.2/ChangeLog -- James Falcon Tue, 12 Aug 2025 16:19:32 -0500 coreutils (built from coreutils) updated from 9.4-3ubuntu6 to 9.4-3ubuntu6.1: coreutils (9.4-3ubuntu6.1) noble; urgency=medium * d/p/suppress-permission-denied-errors-on-nfs.patch: - Avoid returning permission denied errors when running ls -l when reading file attributes. (LP: #2115274) -- Ghadi Elie Rahme Sun, 22 Jun 2025 16:21:39 +0000 dpkg (built from dpkg) updated from 1.22.6ubuntu6.1 to 1.22.6ubuntu6.5: dpkg (1.22.6ubuntu6.5) noble-security; urgency=medium [ Joy Latten ] * SECURITY UPDATE: - Fix cleanup for control member with restricted directories. LP: #2122053 - Fixes CVE-2025-6297 -- Serge Hallyn Thu, 18 Sep 2025 12:43:59 -0500 dpkg (1.22.6ubuntu6.2) noble; urgency=medium [ Zixing Liu ] * Add RUSTFLAGS to define frame pointers for Rust toolchain (LP: #2082636). * Replaces mainline version number 1.22.6ubuntu12 with 1.22.6ubuntu6.2 in the documentation to avoid confusion with backported version. [ Benjamin Drung ] * buildflags: document RUSTFLAGS * buildflags: Always set RUSTFLAGS -- Zixing Liu Thu, 26 Sep 2024 13:14:01 -0600 libc-bin, libc6:arm64, libc6:armhf (built from glibc) updated from 2.39-0ubuntu8.5 to 2.39-0ubuntu8.6: glibc (2.39-0ubuntu8.6) noble-security; urgency=medium * SECURITY UPDATE: double-free in regcomp function - debian/patches/any/CVE-2025-8058.patch: fix double-free after allocation failure in regcomp in posix/Makefile, posix/regcomp.c, posix/tst-regcomp-bracket-free.c. - CVE-2025-8058 -- Marc Deslauriers Wed, 17 Sep 2025 10:55:42 -0400 openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.13 to 1:9.6p1-3ubuntu13.14: openssh (1:9.6p1-3ubuntu13.14) noble; urgency=medium * d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226) -- Nick Rosbrook Tue, 26 Aug 2025 09:49:17 -0400 libssl3t64:arm64, openssl (built from openssl) updated from 3.0.13-0ubuntu3.5 to 3.0.13-0ubuntu3.6: openssl (3.0.13-0ubuntu3.6) noble-security; urgency=medium * SECURITY UPDATE: Out-of-bounds read & write in RFC 3211 KEK Unwrap - debian/patches/CVE-2025-9230.patch: fix incorrect check of unwrapped key size in crypto/cms/cms_pwri.c. - CVE-2025-9230 -- Marc Deslauriers Thu, 18 Sep 2025 07:12:48 -0400 libpam-modules-bin, libpam-modules:arm64, libpam-runtime, libpam0g:arm64 (built from pam) updated from 1.5.3-5ubuntu5.4 to 1.5.3-5ubuntu5.5: pam (1.5.3-5ubuntu5.5) noble-security; urgency=medium * SECURITY UPDATE: pam_access hostname confusion - debian/patches/CVE-2024-10963.patch: add "nodns" option to disallow resolving of tokens as hostname in modules/pam_access/access.conf.5.xml, modules/pam_access/pam_access.8.xml, modules/pam_access/pam_access.c. - CVE-2024-10963 -- Marc Deslauriers Mon, 15 Sep 2025 08:37:15 -0400 libsqlite3-0:arm64 (built from sqlite3) updated from 3.45.1-1ubuntu2.4 to 3.45.1-1ubuntu2.5: sqlite3 (3.45.1-1ubuntu2.5) noble-security; urgency=medium * SECURITY UPDATE: integer overflow in FTS5 extension - debian/patches/CVE-2025-7709.patch: optimize allocation of large tombstone arrays in fts5 in ext/fts5/fts5_index.c. - CVE-2025-7709 -- Marc Deslauriers Thu, 11 Sep 2025 14:06:42 -0400 vim-common, vim-tiny (built from vim) updated from 2:9.1.0016-1ubuntu7.8 to 2:9.1.0016-1ubuntu7.9: vim (2:9.1.0016-1ubuntu7.9) noble-security; urgency=medium * SECURITY UPDATE: Path traversal when opening specially crafted tar/zip archives. - debian/patches/CVE-2025-53905.patch: remove leading slashes from name, replace tar_secure with g:tar_secure in runtime/autoload/tar.vim. - debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w, call warning for path traversal attack, and escape leading "../" in runtime/autoload/zip.vim. - CVE-2025-53905 - CVE-2025-53906 -- Hlib Korzhynskyy Fri, 05 Sep 2025 17:14:46 -0230 29/08/2025, commit https://github.com/canonical/core-base/tree/3667c3306e20cafd7ee36075b3fb317f05fbec00 [ Changes in the core24 snap ] Alfonso Sánchez-Beato (4): .github/workflows/release-manual.yaml: remove scheduled builds get-version.sh: filter by _$branch suffix when looking at tags hooks/001-extra-packages.chroot: add back libtirpc3t64 snapcraft.yaml: move to 24.04.3 base Valentin David (2): spread.yaml: Sync google-nested-arm with snapd static: copy udev disk rules from core-initrd [ Changes in primed packages ] base-files (built from base-files) updated from 13ubuntu10.2 to 13ubuntu10.3: base-files (13ubuntu10.3) noble; urgency=medium * /etc/issue{,.net}, /etc/{lsb,os}-release: bump version to 24.04.3 (LP: #2119314) -- Ural Tunaboyu Fri, 01 Aug 2025 07:21:11 -0700 cloud-init (built from cloud-init) updated from 25.1.2-0ubuntu0~24.04.1 to 25.1.4-0ubuntu0~24.04.1: cloud-init (25.1.4-0ubuntu0~24.04.1) noble-security; urgency=medium * Upstream snapshot based on 25.1.4. List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog - Bugs fixed in this snapshot: + fix: disable cloud-init when non-x86 environments have no DMI-data and no strict datasources detected (LP: #2069607) (CVE-2024-6174) -- Chad Smith Tue, 24 Jun 2025 15:14:03 -0600 cloud-init (25.1.3-0ubuntu0~24.04.1) noble-security; urgency=medium * d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only share dir (CVE-2024-11584) * Upstream security bugfix release based on 25.1.3. List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog - Bugs fixed in this snapshot: - security: make hotplug socket only writable by root (LP: #2114229) (CVE-2024-11584) - security: make ds-identify behavior strict datasource discovery on non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174) -- Chad Smith Thu, 12 Jun 2025 20:24:45 -0600 iproute2 (built from iproute2) updated from 6.1.0-1ubuntu6 to 6.1.0-1ubuntu6.2: iproute2 (6.1.0-1ubuntu6.2) noble; urgency=medium * Do not use stdout to print info about default fan map usage (LP: #2115790) - d/p/1003-ubuntu-poc-fan-dynamic-map.patch -- Stefan Bader Thu, 10 Jul 2025 16:46:54 +0200 iproute2 (6.1.0-1ubuntu6.1) noble; urgency=medium * Expose IFLA_VXLAN_FAN_MAP version via sysctl/proc (LP: #2106115) - d/p/1003-ubuntu-poc-fan-dynamic-map.patch -- Stefan Bader Thu, 26 Jun 2025 16:35:31 +0200 libpython3.12-minimal:arm64, libpython3.12-stdlib:arm64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.7 to 3.12.3-1ubuntu0.8: python3.12 (3.12.3-1ubuntu0.8) noble-security; urgency=medium * SECURITY UPDATE: Regular expression denial of service. - debian/patches/CVE-2025-6069.patch: Improve regex parsing in Lib/html/parser.py. - CVE-2025-6069 * SECURITY UPDATE: Infinite loop when parsing tar archives. - debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in Lib/tarfile.py. - CVE-2025-8194 -- Hlib Korzhynskyy Thu, 14 Aug 2025 15:17:21 -0230 29/07/2025, commit https://github.com/canonical/core-base/tree/e164b892c0535598c3712caa2ecdea0667dfdfc7 [ Changes in the core24 snap ] Alfonso Sánchez-Beato (11): snapcraft.yaml: set version from date tag if present .github/workflows/release.yaml: add release job .github/workflows/release.yaml: run rebuild base job each day .github/workflows/tests.yaml: fix runners filtering .github/workflows/release.yaml: fix typo static/secureboot-db.service: check mode by looking at modeenv static: check mode by looking at modeenv in several services tests: prepare for installation from initramfs .github/workflows: we do not need spread-arm anymore .github/workflows: add manual release job, remove old release one .github/workflows/release-manual: fix typo Philip Meulengracht (1): tools: aggregate old changelogs [ Changes in primed packages ] libc-bin, libc6:arm64, libc6:armhf (built from glibc) updated from 2.39-0ubuntu8.4 to 2.39-0ubuntu8.5: glibc (2.39-0ubuntu8.5) noble-security; urgency=medium * SECURITY UPDATE: insecure power10 strcmp implementation - debian/patches/any/CVE-2025-5702.patch: remove power10 optimized strcmp. - CVE-2025-5702 * Moved other security patches to debian/patches/any. -- Marc Deslauriers Wed, 09 Jul 2025 12:47:47 -0400 gpgv (built from gnupg2) updated from 2.4.4-2ubuntu17.2 to 2.4.4-2ubuntu17.3: gnupg2 (2.4.4-2ubuntu17.3) noble-security; urgency=medium * debian/patches/fix-key-validity-regression-due-to-CVE-2025- 30258.patch: - Fix a key validity regression following patches for CVE-2025-30258, causing trusted "certify-only" primary keys to be ignored when checking signature on user IDs and computing key validity. This regression makes imported keys signed by a trusted "certify-only" key have an unknown validity (LP: #2114775). -- dcpi Thu, 26 Jun 2025 13:17:22 +0000 gnutls-bin, libgnutls-dane0t64:arm64, libgnutls30t64:arm64 (built from gnutls28) updated from 3.8.3-1.1ubuntu3.3 to 3.8.3-1.1ubuntu3.4: gnutls28 (3.8.3-1.1ubuntu3.4) noble-security; urgency=medium * SECURITY UPDATE: double-free via otherName in the SAN - debian/patches/CVE-2025-32988.patch: avoid double free when exporting othernames in SAN in lib/x509/extensions.c. - CVE-2025-32988 * SECURITY UPDATE: OOB read via malformed length field in SCT extension - debian/patches/CVE-2025-32989.patch: fix read buffer overrun in SCT timestamps in lib/x509/x509_ext.c. - CVE-2025-32989 * SECURITY UPDATE: heap write overflow in certtool via invalid template - debian/patches/CVE-2025-32990.patch: avoid 1-byte write buffer overrun when parsing template in src/certtool-cfg.c, tests/cert-tests/Makefile.am, tests/cert-tests/template-test.sh, tests/cert-tests/templates/template-too-many-othernames.tmpl. - CVE-2025-32990 * SECURITY UPDATE: NULL deref via missing PSK in TLS 1.3 handshake - debian/patches/CVE-2025-6395.patch: clear HSK_PSK_SELECTED when resetting binders in lib/handshake.c, lib/state.c, tests/Makefile.am, tests/tls13/hello_retry_request_psk.c. - CVE-2025-6395 -- Marc Deslauriers Fri, 11 Jul 2025 08:58:05 -0400 gzip (built from gzip) updated from 1.12-1ubuntu3 to 1.12-1ubuntu3.1: gzip (1.12-1ubuntu3.1) noble; urgency=medium * d/p/0001-maint-fix-s390-buffer-flushes.patch: align the behavior of dfltcc_inflate to do the same as gzip_inflate when it hits a premature EOF (LP: #2083700) -- Andreas Hasenack Mon, 27 Jan 2025 13:56:44 -0300 iputils-ping (built from iputils) updated from 3:20240117-1build1 to 3:20240117-1ubuntu0.1: iputils (3:20240117-1ubuntu0.1) noble-security; urgency=medium * SECURITY UPDATE: DoS via crafted ICMP Echo Reply packet - debian/patches/CVE-2025-47268: fix signed 64-bit integer overflow in RTT calculation in iputils_common.h, ping/ping_common.c. - debian/patches/CVE-2025-48964.patch: fix moving average rtt calculation in iputils_common.h, ping/ping.h, ping/ping_common.c. - CVE-2025-47268 - CVE-2025-48964 -- Marc Deslauriers Thu, 24 Jul 2025 07:51:16 -0400 libpciaccess0:arm64 (built from libpciaccess) updated from 0.17-3build1 to 0.17-3ubuntu0.24.04.2: libpciaccess (0.17-3ubuntu0.24.04.2) noble; urgency=medium * Revert to 0.17-3build1 since the previous update appears to cause inability to log in to the desktop on some systems (LP: #2115574) -- Jeremy Bícha Mon, 30 Jun 2025 11:55:17 -0400 libpciaccess (0.17-3ubuntu0.24.04.1) noble; urgency=medium * AMD platform A + N config selected wrong primary GPU in Xorg (LP: #2111684) d/p/0001-linux_sysfs-Identify-boot_vga-by-acpi-companion-hid.patch -- Kai-Chuan Hsieh Tue, 03 Jun 2025 17:23:44 +0800 libnetplan1:arm64, netplan-generator, netplan.io, python3-netplan (built from netplan.io) updated from 1.1.2-2~ubuntu24.04.1 to 1.1.2-2~ubuntu24.04.2: netplan.io (1.1.2-2~ubuntu24.04.2) noble; urgency=medium * Add integration tests for `netplan try` - d/p/lp2083029/0007-tests-integration-netplan-try.patch * Fix networkd file permissions during `netplan try` restore (LP: #2083029) - d/p/lp2083029/0008-cli-ConfigManager-must-copy-file-ownership.patch * Prevent netplan-generate from running during `netplan try` (LP: #2083029) - d/p/lp2083029/0009-generate-Don-t-run-during-netplan-try.patch -- Wesley Hershberger Thu, 17 Apr 2025 10:46:08 -0500 openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.12 to 1:9.6p1-3ubuntu13.13: openssh (1:9.6p1-3ubuntu13.13) noble; urgency=medium * Explicitly listen on IPv4 by default, with socket-activated sshd (LP: #2080216) - d/systemd/ssh.socket: explicitly listen on ipv4 by default - d/t/sshd-socket-generator: update for new defaults and AddressFamily - sshd-socket-generator: handle new ssh.socket default settings -- Nick Rosbrook Mon, 09 Jun 2025 13:22:39 -0400 python3-urllib3 (built from python-urllib3) updated from 2.0.7-1ubuntu0.1 to 2.0.7-1ubuntu0.2: python-urllib3 (2.0.7-1ubuntu0.2) noble-security; urgency=medium * SECURITY UPDATE: Information disclosure through improperly disabled redirects. - debian/patches/CVE-2025-50181.patch: Add "retries" check and set retries to Retry.from_int(retries, redirect=False) as well as set raise_on_redirect in ./src/urllib3/poolmanager.py. - CVE-2025-50181 -- Hlib Korzhynskyy Mon, 23 Jun 2025 16:34:35 -0230 libpython3.12-minimal:arm64, libpython3.12-stdlib:arm64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.6 to 3.12.3-1ubuntu0.7: python3.12 (3.12.3-1ubuntu0.7) noble-security; urgency=medium * SECURITY UPDATE: Arbitrary filesystem and metadata write through improper tar filtering. - debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in ./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and unfiltered to ./Lib/tarfile.py. Modify tests. - CVE-2024-12718 - CVE-2025-4138 - CVE-2025-4330 - CVE-2025-4435 - CVE-2025-4517 -- Hlib Korzhynskyy Wed, 18 Jun 2025 15:29:45 -0230 libsqlite3-0:arm64 (built from sqlite3) updated from 3.45.1-1ubuntu2.3 to 3.45.1-1ubuntu2.4: sqlite3 (3.45.1-1ubuntu2.4) noble-security; urgency=medium * SECURITY UPDATE: Memory corruption via number of aggregate terms - debian/patches/CVE-2025-6965.patch: raise an error right away if the number of aggregate terms in a query exceeds the maximum number of columns in src/expr.c, src/sqliteInt.h. - CVE-2025-6965 -- Marc Deslauriers Fri, 18 Jul 2025 10:56:16 -0400 sudo (built from sudo) updated from 1.9.15p5-3ubuntu5 to 1.9.15p5-3ubuntu5.24.04.1: sudo (1.9.15p5-3ubuntu5.24.04.1) noble-security; urgency=medium * SECURITY UPDATE: Local Privilege Escalation via host option - debian/patches/CVE-2025-32462.patch: only allow specifying a host when listing privileges. - CVE-2025-32462 * SECURITY UPDATE: Local Privilege Escalation via chroot option - debian/patches/CVE-2025-32463.patch: remove user-selected root directory chroot option. - CVE-2025-32463 -- Marc Deslauriers Wed, 25 Jun 2025 08:42:53 -0400 libpam-systemd:arm64, libsystemd-shared:arm64, libsystemd0:arm64, libudev1:arm64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.8 to 255.4-1ubuntu8.10: systemd (255.4-1ubuntu8.10) noble; urgency=medium * Fix regression in networkctl caused by previous upload: A regression was introduced due to an incorrect manager reference being passed to manager_get_route_table_to_string() within route_append_json(), resulting in an error when executing the `networkctl --json=pretty` command. > networkctl --json=pretty Failed to get description: Message recipient disconnected from message bus without replying -- Chengen Du Wed, 02 Jul 2025 10:04:32 -0400 systemd (255.4-1ubuntu8.9) noble; urgency=medium * Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set (LP: #2098183) - d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch - d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch - d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch - d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch - d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch - d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch - d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch - d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch - d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch - d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch - d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch - d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch - d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch -- Chengen Du Mon, 09 Jun 2025 13:44:06 -0400 bsdutils, fdisk, libblkid1:arm64, libfdisk1:arm64, libmount1:arm64, libsmartcols1:arm64, libuuid1:arm64, mount, rfkill, util-linux (built from util-linux) updated from 1:2.39.3-9ubuntu6.2 to 1:2.39.3-9ubuntu6.3: 18/06/2025, commit https://git.launchpad.net/snap-core24/tree/f9ca904d1e47c062780620e0060063d8a54646dd [ Changes in the core24 snap ] Alfonso Sánchez-Beato (1): .github,tests: do not rebuild base for each test [ Changes in primed packages ] libapt-pkg6.0t64:arm64 (built from apt) updated from 2.7.14build2 to 2.8.3: apt (2.8.3) noble; urgency=medium * Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126) - Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment" - Revert "Only warn about Tue, 22 Oct 2024 15:02:22 +0200 apt (2.8.2) noble; urgency=medium * Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment (follow-up for LP: #2073126) -- Julian Andres Klode Tue, 13 Aug 2024 16:47:13 +0200 apt (2.8.1) noble; urgency=medium * Only revoke weak RSA keys for now, add 'next' and 'future' levels (backported from 2.9.7) Note that the changes to warn about keys not matching the future level in the --audit level are not fully included, as the --audit feature has not yet been backported. (LP: #2073126) * Introduce further mitigation on upgrades from 2.7.x to allow these systems to continue using rsa1024 repositories with warnings until the 24.04.2 point release (LP: #2073126) -- Julian Andres Klode Tue, 30 Jul 2024 17:12:00 +0900 apt (2.8.0) noble; urgency=medium [ Julian Andres Klode ] * Revert "Temporarily downgrade key assertions to "soon worthless"" We temporarily downgraded the errors to warnings to give the launchpad PPAs time to be fixed, but warnings are not safe: Untrusted keys could be hiding on your system, but just not used at the moment. Hence revert this so we get the errors we want. (LP: #2060721) * Branch off the stable 2.8.y branch for noble: - CI: Test in ubuntu:noble images for 2.8.y - debian/gbp.conf: Point at the 2.8.y branch [ David Kalnischkies ] * Test suite fixes: - Avoid subshell hiding failure report from testfilestats - Ignore umask of leftover diff_Index in failed pdiff test * Documentation translation fixes: - Fix and unfuzzy previous VCG/Graphviz URI change -- Julian Andres Klode Tue, 16 Apr 2024 16:59:14 +0200 cloud-init (built from cloud-init) updated from 24.4.1-0ubuntu0~24.04.3 to 25.1.2-0ubuntu0~24.04.1: cloud-init (25.1.2-0ubuntu0~24.04.1) noble; urgency=medium * Upstream snapshot based on 25.1.2. (LP: #2104165). List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/25.1.2/ChangeLog -- James Falcon Mon, 19 May 2025 15:00:58 -0500 cloud-init (25.1.1-0ubuntu1~24.04.1) noble; urgency=medium * Drop cpicks which are now upstream: - cpick-d75840be-fix-retry-AWS-hotplug-for-async-IMDS-5995 - cpick-84806336-chore-Add-feature-flag-for-manual-network-waiting - d/p/cpick-c60771d8-test-pytestify-test_url_helper.py - d/p/cpick-8810a2dc-test-Remove-CiTestCase-from-test_url_helper.py - d/p/cpick-582f16c1-test-add-OauthUrlHelper-tests - d/p/cpick-9311e066-fix-Update-OauthUrlHelper-to-use-readurl-exception_cb * refresh patches - d/p/deprecation-version-boundary.patch - d/p/grub-dpkg-support.patch - d/p/no-nocloud-network.patch - d/p/no-single-process.patch * sort hunks within all patches (--sort on quilt refresh) * Upstream snapshot based on 25.1.1. List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/25.1.1/ChangeLog -- Chad Smith Tue, 25 Mar 2025 11:02:28 -0600 libgssapi-krb5-2:arm64, libk5crypto3:arm64, libkrb5-3:arm64, libkrb5support0:arm64 (built from krb5) updated from 1.20.1-6ubuntu2.5 to 1.20.1-6ubuntu2.6: krb5 (1.20.1-6ubuntu2.6) noble-security; urgency=medium * SECURITY UPDATE: Use of weak cryptographic hash. - debian/patches/CVE-2025-3576.patch: Add allow_des3 and allow_rc4 options. Disallow usage of des3 and rc4 unless allowed in the config. Replace warn_des3 with warn_deprecated in ./src/lib/krb5/krb/get_in_tkt.c. Add allow_des3 and allow_rc4 boolean in ./src/include/k5-int.h. Prevent usage of deprecated enctypes in ./src/kdc/kdc_util.c. - debian/patches/CVE-2025-3576-post1.patch: Add enctype comparison with ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ./src/kdc/kdc_util.c. - CVE-2025-3576 -- Hlib Korzhynskyy Thu, 15 May 2025 10:09:20 +0200 openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.11 to 1:9.6p1-3ubuntu13.12: openssh (1:9.6p1-3ubuntu13.12) noble; urgency=medium * d/p/sshd-socket-generator.patch: add note to sshd_config Explain that a systemctl daemon-reload is needed for changes to Port et al to take effect. (LP: #2069041) -- Nick Rosbrook Tue, 29 Apr 2025 10:57:04 -0400 libpam-modules-bin, libpam-modules:arm64, libpam-runtime, libpam0g:arm64 (built from pam) updated from 1.5.3-5ubuntu5.1 to 1.5.3-5ubuntu5.4: pam (1.5.3-5ubuntu5.4) noble-security; urgency=medium * SECURITY UPDATE: privilege escalation via pam_namespace - debian/patches/pam_namespace_170.patch: sync pam_namespace module to version 1.7.0. - debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes from upstream git tree. - debian/patches/pam_namespace_revert_abi.patch: revert ABI change to prevent unintended issues in running daemons. - debian/patches/CVE-2025-6020-1.patch: fix potential privilege escalation. - debian/patches/CVE-2025-6020-2.patch: add flags to indicate path safety. - debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at the group ownership. - debian/patches/pam_namespace_o_directory.patch: removed, included in patch cluster above. - CVE-2025-6020 -- Marc Deslauriers Thu, 12 Jun 2025 10:45:28 -0400 pam (1.5.3-5ubuntu5.2) noble; urgency=medium * d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827) -- Simon Chopin Mon, 26 May 2025 16:34:46 +0200 libpython3.12-minimal:arm64, libpython3.12-stdlib:arm64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.5 to 3.12.3-1ubuntu0.6: python3.12 (3.12.3-1ubuntu0.6) noble-security; urgency=medium * SECURITY UPDATE: incorrect address list folding - debian/patches/CVE-2025-1795-2.patch: fix AttributeError in the email module in Lib/email/_header_value_parser.py, Lib/test/test_email/test__header_value_parser.py. - CVE-2025-1795 * SECURITY UPDATE: DoS via bytes.decode with unicode_escape - debian/patches/CVE-2025-4516.patch: fix use-after-free in the unicode-escape decoder with an error handler in Include/cpython/bytesobject.h, Include/cpython/unicodeobject.h, Lib/test/test_codeccallbacks.py, Lib/test/test_codecs.py, Objects/bytesobject.c, Objects/unicodeobject.c, Parser/string_parser.c. - CVE-2025-4516 -- Marc Deslauriers Mon, 26 May 2025 14:50:19 -0400 python3-requests (built from requests) updated from 2.31.0+dfsg-1ubuntu1 to 2.31.0+dfsg-1ubuntu1.1: requests (2.31.0+dfsg-1ubuntu1.1) noble-security; urgency=medium * SECURITY UPDATE: Information Leak - debian/patches/CVE-2024-47081.patch: Only use hostname to do netrc lookup instead of netloc - CVE-2024-47081 * Skip Test - skip-failing-zip-test.patch: Skip failing zip test -- Bruce Cable Thu, 12 Jun 2025 11:19:32 +1000 python3-pkg-resources (built from setuptools) updated from 68.1.2-2ubuntu1.1 to 68.1.2-2ubuntu1.2: setuptools (68.1.2-2ubuntu1.2) noble-security; urgency=medium * SECURITY UPDATE: path traversal vulnerability - debian/patches/CVE-2025-47273-pre1.patch: Extract _resolve_download_filename with test. - debian/patches/CVE-2025-47273.patch: Add a check to ensure the name resolves relative to the tmpdir. - CVE-2025-47273 -- Fabian Toepfer Wed, 28 May 2025 19:00:32 +0200 libpam-systemd:arm64, libsystemd-shared:arm64, libsystemd0:arm64, libudev1:arm64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.6 to 255.4-1ubuntu8.8: systemd (255.4-1ubuntu8.8) noble-security; urgency=medium * SECURITY UPDATE: race condition in systemd-coredump - debian/patches/CVE_2025_4598_1.patch: coredump: get rid of _META_MANDATORY_MAX. - debian/patches/CVE_2025_4598_2.patch: coredump: use %d in kernel core pattern. - debian/patches/CVE_2025_4598_3.patch: coredump: also stop forwarding non-dumpable processes. - debian/patches/CVE_2025_4598_4.patch: coredump: get rid of a bogus assertion. - CVE-2025-4598 * this update does not include the changes from 255.4-1ubuntu8.7 as included in noble-proposed -- Octavio Galland Wed, 04 Jun 2025 09:24:15 -0300 tzdata (built from tzdata) updated from 2025b-0ubuntu0.24.04 to 2025b-0ubuntu0.24.04.1: tzdata (2025b-0ubuntu0.24.04.1) noble; urgency=medium * Update the ICU timezone data to 2025b (LP: #2107950) * Add autopkgtest test case for ICU timezone data 2025b -- Benjamin Drung Tue, 22 Apr 2025 12:11:08 +0200