{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "busybox-initramfs", "busybox-static", "dhcpcd-base", "dracut", "dracut-core", "dracut-install", "dracut-network", "file", "ftp", "fuse3", "gir1.2-packagekitglib-1.0", "groff-base", "libcap-ng0:armhf", "libdrm-amdgpu1:armhf", "libdrm-common", "libdrm2:armhf", "libdw1t64:armhf", "libedit2:armhf", "libelf1t64:armhf", "libevdev2:armhf", "libfreetype6:armhf", "libfuse3-4:armhf", "libgcrypt20:armhf", "libicu78:armhf", "libmagic-mgc", "libmagic1t64:armhf", "libmbim-glib4:armhf", "libmbim-proxy", "libmbim-utils", "libopeniscsiusr", "libp11-kit0:armhf", "libpackagekit-glib2-18:armhf", "libparted2t64:armhf", "libpci3:armhf", "libperl5.40:armhf", "libpython3.14:armhf", "libpython3.14-minimal:armhf", "libpython3.14-stdlib:armhf", "libselinux1:armhf", "libssh2-1t64:armhf", "libtraceevent1:armhf", "libtraceevent1-plugin:armhf", "libtracefs1:armhf", "libusb-1.0-0:armhf", "libwrap0:armhf", "open-iscsi", "packagekit", "parted", "pci.ids", "pciutils", "perl", "perl-base", "perl-modules-5.40", "python3-certifi", "python3-debian", "python3-jinja2", "python3.14", "python3.14-gdbm", "python3.14-minimal", "rpcsvc-proto", "rsync", "rust-coreutils", "sos", "tcpdump", "tmux", "tnftp", "xfsprogs" ] } }, "diff": { "deb": [ { "name": "busybox-initramfs", "from_version": { "source_package_name": "busybox", "source_package_version": "1:1.37.0-7ubuntu1", "version": "1:1.37.0-7ubuntu1" }, "to_version": { "source_package_name": "busybox", "source_package_version": "1:1.37.0-10.1ubuntu2", "version": "1:1.37.0-10.1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26157", "url": "https://ubuntu.com/security/CVE-2026-26157", "cve_description": "A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" }, { "cve": "CVE-2026-26158", "url": "https://ubuntu.com/security/CVE-2026-26158", "cve_description": "A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" }, { "cve": "CVE-2024-58251", "url": "https://ubuntu.com/security/CVE-2024-58251", "cve_description": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.", "cve_priority": "medium", "cve_public_date": "2025-04-23 18:16:00 UTC" }, { "cve": "CVE-2023-42366", "url": "https://ubuntu.com/security/CVE-2023-42366", "cve_description": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.", "cve_priority": "medium", "cve_public_date": "2023-11-27 23:15:00 UTC" }, { "cve": "CVE-2025-60876", "url": "https://ubuntu.com/security/CVE-2025-60876", "cve_description": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).", "cve_priority": "medium", "cve_public_date": "2025-11-10 20:15:00 UTC" }, { "cve": "CVE-2025-46394", "url": "https://ubuntu.com/security/CVE-2025-46394", "cve_description": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.", "cve_priority": "medium", "cve_public_date": "2025-04-23 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2156784, 2153290 ], "changes": [ { "cves": [], "log": [ "", " * d/tree/usr/share/initramfs-tools/hooks/zz-busybox:", " remove stray closing bracket. This was leftover from an incorrect merge.", " Caused an autopkgtest r-dep regression in `initramfs-tools`. LP: #2156784", "", "" ], "package": "busybox", "version": "1:1.37.0-10.1ubuntu2", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2156784 ], "author": "John Chittum ", "date": "Mon, 15 Jun 2026 11:27:30 -0400" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. (LP: #2153290) Remaining changes:", " - Add busybox-initramfs binary package and initramfs flavour:", " + Add dirname from coreutils to the initramfs", " + Enable the new klibc utility implementations, nuke and run-init", " in the initramfs package; and also enable reboot. Doesn't yet make", " klibc-utils irrelevant - we still use ipconfig, fstype, and nfsmount", " - but it moves us much closer and should save a little bit of disk", " space.", " + Enable TLS in initramfs flavour of wget applet, requires openssl", " + d/config/pkg/initramfs: Enable the date applet with the same", " options as the other variants for use in fixrtc and casper scripts.", " + Prefer busybox cmds over klibc cmds where there is duplication.", " + Move zz-busybox to busybox-initramfs to ensure we get links to all", " the tools we need, stop shipping it anywhere else.", " + d/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox:", " Copy certs and openssl config for the casper+busybox-initramfs case.", " + Add Ubuntu configuration for busybox binaries.", " - test-bin.patch: Move test and friends to /bin.", " - static-sh-alias.patch: Add static-sh alias name for ash, and install", " /bin/static-sh symlink to busybox in busybox-static.", " - d/config/pkg/{deb,static}: Enable chpasswd (needed by LXC).", " + archival-disallow-path-traversals-*.patch adds a new feature that was", " not configured in d/config/pkg/initramfs as busybox-initramfs is an", " Ubuntu only package. Adds in the default config to to the initramfs", " conf.", " - d/p/fix-start-stop-daemon-rust-coreutils.patch", " rust-coreutils disallows running an executable by a different", " name. This leads to \"start-stop-daemon with both -x and -a\"", " to fail as it attempts to run /bin/false under a different", " name, qwerty. Patch test to use the same executable as the", " test does not check argv[0] difference", " - d/busybox-static.links fix link location", " - d/busybox-static.links updated to be in usr/bin instead of bin.", " (LP #2139160)", "" ], "package": "busybox", "version": "1:1.37.0-10.1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153290 ], "author": "John Chittum ", "date": "Thu, 21 May 2026 09:05:38 -0400" }, { "cves": [ { "cve": "CVE-2026-26157", "url": "https://ubuntu.com/security/CVE-2026-26157", "cve_description": "A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" }, { "cve": "CVE-2026-26158", "url": "https://ubuntu.com/security/CVE-2026-26158", "cve_description": "A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" } ], "log": [ "", " * Non-maintainer upload.", " * CVE-2026-26157: Incomplete path sanitization in archive", " extraction utilities", " * CVE-2026-26158: File modification outside of the intended", " extraction directory in tar", " * (Closes: #1127782)", "" ], "package": "busybox", "version": "1:1.37.0-10.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Adrian Bunk ", "date": "Wed, 04 Mar 2026 19:42:01 +0200" }, { "cves": [], "log": [ "", " * Revert \"initramfs-tools/conf-hooks.d/busybox:", " remove, initramfs-tools do not use $BUSYBOXDIR anymore\"", " As it turns out, it *is* used still.", " (Closes: #1126810, #1126809)", "" ], "package": "busybox", "version": "1:1.37.0-10", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Michael Tokarev ", "date": "Mon, 02 Feb 2026 11:25:51 +0300" }, { "cves": [ { "cve": "CVE-2024-58251", "url": "https://ubuntu.com/security/CVE-2024-58251", "cve_description": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.", "cve_priority": "medium", "cve_public_date": "2025-04-23 18:16:00 UTC" } ], "log": [ "", " * netstat-sanitize-argv0-for-p-CVE-2024-58251.patch (Closes: #1104009)", "" ], "package": "busybox", "version": "1:1.37.0-9", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Michael Tokarev ", "date": "Sun, 01 Feb 2026 19:52:47 +0300" }, { "cves": [ { "cve": "CVE-2023-42366", "url": "https://ubuntu.com/security/CVE-2023-42366", "cve_description": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.", "cve_priority": "medium", "cve_public_date": "2023-11-27 23:15:00 UTC" }, { "cve": "CVE-2025-60876", "url": "https://ubuntu.com/security/CVE-2025-60876", "cve_description": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).", "cve_priority": "medium", "cve_public_date": "2025-11-10 20:15:00 UTC" }, { "cve": "CVE-2025-46394", "url": "https://ubuntu.com/security/CVE-2025-46394", "cve_description": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.", "cve_priority": "medium", "cve_public_date": "2025-04-23 16:15:00 UTC" } ], "log": [ "", " * awk.c-fix-CVE-2023-42366-bug-15874.patch (Closes: #1059053)", " * wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch (Closes: #1120795)", " * two patches (one from upstream and missing hunk) to fix CVE-2025-46394:", " archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394.patch", " archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394-2.patch", " (Closes: #1104008)", " * config: deb,static: enable resize applet", " * initramfs-tools/conf-hooks.d/busybox: remove,", " initramfs-tools don't use $BUSYBOXDIR anymore", " * initramfs-tools/hooks/zz-busybox:", " print applets added to initramfs in verbose mode", "" ], "package": "busybox", "version": "1:1.37.0-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Michael Tokarev ", "date": "Sun, 01 Feb 2026 19:29:24 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "busybox-static", "from_version": { "source_package_name": "busybox", "source_package_version": "1:1.37.0-7ubuntu1", "version": "1:1.37.0-7ubuntu1" }, "to_version": { "source_package_name": "busybox", "source_package_version": "1:1.37.0-10.1ubuntu2", "version": "1:1.37.0-10.1ubuntu2" }, "cves": [ { "cve": "CVE-2026-26157", "url": "https://ubuntu.com/security/CVE-2026-26157", "cve_description": "A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" }, { "cve": "CVE-2026-26158", "url": "https://ubuntu.com/security/CVE-2026-26158", "cve_description": "A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" }, { "cve": "CVE-2024-58251", "url": "https://ubuntu.com/security/CVE-2024-58251", "cve_description": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.", "cve_priority": "medium", "cve_public_date": "2025-04-23 18:16:00 UTC" }, { "cve": "CVE-2023-42366", "url": "https://ubuntu.com/security/CVE-2023-42366", "cve_description": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.", "cve_priority": "medium", "cve_public_date": "2023-11-27 23:15:00 UTC" }, { "cve": "CVE-2025-60876", "url": "https://ubuntu.com/security/CVE-2025-60876", "cve_description": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).", "cve_priority": "medium", "cve_public_date": "2025-11-10 20:15:00 UTC" }, { "cve": "CVE-2025-46394", "url": "https://ubuntu.com/security/CVE-2025-46394", "cve_description": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.", "cve_priority": "medium", "cve_public_date": "2025-04-23 16:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2156784, 2153290 ], "changes": [ { "cves": [], "log": [ "", " * d/tree/usr/share/initramfs-tools/hooks/zz-busybox:", " remove stray closing bracket. This was leftover from an incorrect merge.", " Caused an autopkgtest r-dep regression in `initramfs-tools`. LP: #2156784", "", "" ], "package": "busybox", "version": "1:1.37.0-10.1ubuntu2", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2156784 ], "author": "John Chittum ", "date": "Mon, 15 Jun 2026 11:27:30 -0400" }, { "cves": [], "log": [ "", " * Merge with Debian unstable. (LP: #2153290) Remaining changes:", " - Add busybox-initramfs binary package and initramfs flavour:", " + Add dirname from coreutils to the initramfs", " + Enable the new klibc utility implementations, nuke and run-init", " in the initramfs package; and also enable reboot. Doesn't yet make", " klibc-utils irrelevant - we still use ipconfig, fstype, and nfsmount", " - but it moves us much closer and should save a little bit of disk", " space.", " + Enable TLS in initramfs flavour of wget applet, requires openssl", " + d/config/pkg/initramfs: Enable the date applet with the same", " options as the other variants for use in fixrtc and casper scripts.", " + Prefer busybox cmds over klibc cmds where there is duplication.", " + Move zz-busybox to busybox-initramfs to ensure we get links to all", " the tools we need, stop shipping it anywhere else.", " + d/tree/busybox/usr/share/initramfs-tools/hooks/zz-busybox:", " Copy certs and openssl config for the casper+busybox-initramfs case.", " + Add Ubuntu configuration for busybox binaries.", " - test-bin.patch: Move test and friends to /bin.", " - static-sh-alias.patch: Add static-sh alias name for ash, and install", " /bin/static-sh symlink to busybox in busybox-static.", " - d/config/pkg/{deb,static}: Enable chpasswd (needed by LXC).", " + archival-disallow-path-traversals-*.patch adds a new feature that was", " not configured in d/config/pkg/initramfs as busybox-initramfs is an", " Ubuntu only package. Adds in the default config to to the initramfs", " conf.", " - d/p/fix-start-stop-daemon-rust-coreutils.patch", " rust-coreutils disallows running an executable by a different", " name. This leads to \"start-stop-daemon with both -x and -a\"", " to fail as it attempts to run /bin/false under a different", " name, qwerty. Patch test to use the same executable as the", " test does not check argv[0] difference", " - d/busybox-static.links fix link location", " - d/busybox-static.links updated to be in usr/bin instead of bin.", " (LP #2139160)", "" ], "package": "busybox", "version": "1:1.37.0-10.1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153290 ], "author": "John Chittum ", "date": "Thu, 21 May 2026 09:05:38 -0400" }, { "cves": [ { "cve": "CVE-2026-26157", "url": "https://ubuntu.com/security/CVE-2026-26157", "cve_description": "A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" }, { "cve": "CVE-2026-26158", "url": "https://ubuntu.com/security/CVE-2026-26158", "cve_description": "A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.", "cve_priority": "medium", "cve_public_date": "2026-02-11 21:16:00 UTC" } ], "log": [ "", " * Non-maintainer upload.", " * CVE-2026-26157: Incomplete path sanitization in archive", " extraction utilities", " * CVE-2026-26158: File modification outside of the intended", " extraction directory in tar", " * (Closes: #1127782)", "" ], "package": "busybox", "version": "1:1.37.0-10.1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Adrian Bunk ", "date": "Wed, 04 Mar 2026 19:42:01 +0200" }, { "cves": [], "log": [ "", " * Revert \"initramfs-tools/conf-hooks.d/busybox:", " remove, initramfs-tools do not use $BUSYBOXDIR anymore\"", " As it turns out, it *is* used still.", " (Closes: #1126810, #1126809)", "" ], "package": "busybox", "version": "1:1.37.0-10", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Michael Tokarev ", "date": "Mon, 02 Feb 2026 11:25:51 +0300" }, { "cves": [ { "cve": "CVE-2024-58251", "url": "https://ubuntu.com/security/CVE-2024-58251", "cve_description": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.", "cve_priority": "medium", "cve_public_date": "2025-04-23 18:16:00 UTC" } ], "log": [ "", " * netstat-sanitize-argv0-for-p-CVE-2024-58251.patch (Closes: #1104009)", "" ], "package": "busybox", "version": "1:1.37.0-9", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Michael Tokarev ", "date": "Sun, 01 Feb 2026 19:52:47 +0300" }, { "cves": [ { "cve": "CVE-2023-42366", "url": "https://ubuntu.com/security/CVE-2023-42366", "cve_description": "A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.", "cve_priority": "medium", "cve_public_date": "2023-11-27 23:15:00 UTC" }, { "cve": "CVE-2025-60876", "url": "https://ubuntu.com/security/CVE-2025-60876", "cve_description": "BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).", "cve_priority": "medium", "cve_public_date": "2025-11-10 20:15:00 UTC" }, { "cve": "CVE-2025-46394", "url": "https://ubuntu.com/security/CVE-2025-46394", "cve_description": "In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.", "cve_priority": "medium", "cve_public_date": "2025-04-23 16:15:00 UTC" } ], "log": [ "", " * awk.c-fix-CVE-2023-42366-bug-15874.patch (Closes: #1059053)", " * wget-disallow-control-chars-in-URLs-CVE-2025-60876.patch (Closes: #1120795)", " * two patches (one from upstream and missing hunk) to fix CVE-2025-46394:", " archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394.patch", " archival-libarchive-sanitize-filenames-on-output-CVE-2025-46394-2.patch", " (Closes: #1104008)", " * config: deb,static: enable resize applet", " * initramfs-tools/conf-hooks.d/busybox: remove,", " initramfs-tools don't use $BUSYBOXDIR anymore", " * initramfs-tools/hooks/zz-busybox:", " print applets added to initramfs in verbose mode", "" ], "package": "busybox", "version": "1:1.37.0-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Michael Tokarev ", "date": "Sun, 01 Feb 2026 19:29:24 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "dhcpcd-base", "from_version": { "source_package_name": "dhcpcd", "source_package_version": "1:10.3.0-7", "version": "1:10.3.0-7" }, "to_version": { "source_package_name": "dhcpcd", "source_package_version": "1:10.3.2-3", "version": "1:10.3.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * [tests]", " timesyncd-ntp-servers-from-dhcp: Mark as flaky.", "" ], "package": "dhcpcd", "version": "1:10.3.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Sat, 02 May 2026 07:59:36 +0300" }, { "cves": [], "log": [ "", " * [tests]", " = timesyncd-ntp-servers-from-dhcp: Implement shellcheck suggestions.", "" ], "package": "dhcpcd", "version": "1:10.3.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Fri, 01 May 2026 15:49:50 +0300" }, { "cves": [], "log": [ "", " * New upstream version.", " * [control]", " = Move transitional package dhcpcd5 to oldlibs/optional per policy 4.0.1.", " * [presubj]", " = Hurd has been ported to 2 architectures. Adjust bug-presubj accordingly.", "" ], "package": "dhcpcd", "version": "1:10.3.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Thu, 30 Apr 2026 17:04:25 +0300" }, { "cves": [], "log": [ "", " * Add bug-presubj to warn about sysusers minimum requirement.", "" ], "package": "dhcpcd", "version": "1:10.3.1-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Thu, 23 Apr 2026 12:59:38 +0300" }, { "cves": [], "log": [ "", " * [rules,sysusers]", " = Migrate to _dhcpcd /var/lib/dhcpcd /sbin/nologin.", " * [dirs]", " - Drop empty /usr/lib/dhcpcd thanks to the above.", "" ], "package": "dhcpcd", "version": "1:10.3.1-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Sat, 18 Apr 2026 15:04:05 +0300" }, { "cves": [], "log": [ "", " * [control]", " = Bump Standards-Version to 4.7.4 (no change required).", " * [rules]", " = Migrate from Debian patch to --enable-ntp configure option.", " = Migrate to SPDX-FileCopyrightText declaration.", "" ], "package": "dhcpcd", "version": "1:10.3.1-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Sat, 18 Apr 2026 09:17:35 +0300" }, { "cves": [], "log": [ "", " * [control]", " = Make the long description for bin:dhcpcd even more obvious.", " + Add Build-Depends for Hurd.", " = wrap-and-sort -ast", " * [rules]", " = Modernize to fetch LFS flags via dpkg-buildflags.", "" ], "package": "dhcpcd", "version": "1:10.3.1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Sat, 11 Apr 2026 14:51:12 +0300" }, { "cves": [], "log": [ "", " * New upstream version.", " Includes upstream's overdue adaptation of Daniel Gröber's Merge Request.", " Thank you for your patience, Daniel (Closes: #1121014, #1121018).", " * [control]", " = Bump Standards-Version to 4.7.3.", " - Depends: sysvinit-utils (>= 3.05-4~) | lsb-base. Essential packages.", " - Recommends: iwd | wireless-tools. Not needed for wireless profiles.", " * [copyright]", " lintian-brush: Reorder Files paragraphs by directory depth.", " * [signing-key.asc]", " lintian-brush: Upgrade upstream signing key to new packet format.", "" ], "package": "dhcpcd", "version": "1:10.3.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Martin-Éric Racine ", "date": "Mon, 16 Mar 2026 15:28:49 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "dracut", "from_version": { "source_package_name": "dracut", "source_package_version": "110-11", "version": "110-11" }, "to_version": { "source_package_name": "dracut", "source_package_version": "111-3", "version": "111-3" }, "cves": [], "launchpad_bugs_fixed": [ 2121865 ], "changes": [ { "cves": [], "log": [ "", " [ Gioele Barabucci ]", " * Update upstream repo name from dracut-ng to dracut", "", " [ Luca Boccassi ]", " * Backport patches to fix autopkgtest with systemd v261", "", " [ Benjamin Drung ]", " * test(SYSTEMD-SYSEXT): use pre-pivot hook", " * Point homepage to upstream documentation page", "" ], "package": "dracut", "version": "111-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 18 Jun 2026 17:27:25 +0200" }, { "cves": [], "log": [ "", " * test: exit after create-root.sh has been run", "" ], "package": "dracut", "version": "111-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 06 May 2026 18:49:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Drop patches applied upstream", " * Refresh fix-iscsi-handle-empty-URI-in-firmware-boot-mode.patch", " * dracut-core: add new crypt-lib and systemd-sysusers-service modules", " * autopkgtest: add new 46-systemd-sysext test", " * Drop building dracut-test on 32-bit architectures and skip running", " upstream tests on armhf as autopkgtest (Closes: #1134874)", " * Update lintian overrides for lintian 2.135", "" ], "package": "dracut", "version": "111-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 02 May 2026 20:17:34 +0200" }, { "cves": [], "log": [ "", " * Cherry-pick upstream fixes:", " - feat(dracut): add module to add fw files from DT firmware-name properties", " - fix: avoid arguments for dot commands", " - test(ISCSI): wait for tgtd startup", " - fix(iscsi): handle empty URI in firmware boot mode (LP: #2121865)", " * dracut-core: add new devicetree-firmware module", "" ], "package": "dracut", "version": "110-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2121865 ], "author": "Benjamin Drung ", "date": "Tue, 14 Apr 2026 23:47:03 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "dracut-core", "from_version": { "source_package_name": "dracut", "source_package_version": "110-11", "version": "110-11" }, "to_version": { "source_package_name": "dracut", "source_package_version": "111-3", "version": "111-3" }, "cves": [], "launchpad_bugs_fixed": [ 2121865 ], "changes": [ { "cves": [], "log": [ "", " [ Gioele Barabucci ]", " * Update upstream repo name from dracut-ng to dracut", "", " [ Luca Boccassi ]", " * Backport patches to fix autopkgtest with systemd v261", "", " [ Benjamin Drung ]", " * test(SYSTEMD-SYSEXT): use pre-pivot hook", " * Point homepage to upstream documentation page", "" ], "package": "dracut", "version": "111-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 18 Jun 2026 17:27:25 +0200" }, { "cves": [], "log": [ "", " * test: exit after create-root.sh has been run", "" ], "package": "dracut", "version": "111-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 06 May 2026 18:49:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Drop patches applied upstream", " * Refresh fix-iscsi-handle-empty-URI-in-firmware-boot-mode.patch", " * dracut-core: add new crypt-lib and systemd-sysusers-service modules", " * autopkgtest: add new 46-systemd-sysext test", " * Drop building dracut-test on 32-bit architectures and skip running", " upstream tests on armhf as autopkgtest (Closes: #1134874)", " * Update lintian overrides for lintian 2.135", "" ], "package": "dracut", "version": "111-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 02 May 2026 20:17:34 +0200" }, { "cves": [], "log": [ "", " * Cherry-pick upstream fixes:", " - feat(dracut): add module to add fw files from DT firmware-name properties", " - fix: avoid arguments for dot commands", " - test(ISCSI): wait for tgtd startup", " - fix(iscsi): handle empty URI in firmware boot mode (LP: #2121865)", " * dracut-core: add new devicetree-firmware module", "" ], "package": "dracut", "version": "110-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2121865 ], "author": "Benjamin Drung ", "date": "Tue, 14 Apr 2026 23:47:03 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "dracut-install", "from_version": { "source_package_name": "dracut", "source_package_version": "110-11", "version": "110-11" }, "to_version": { "source_package_name": "dracut", "source_package_version": "111-3", "version": "111-3" }, "cves": [], "launchpad_bugs_fixed": [ 2121865 ], "changes": [ { "cves": [], "log": [ "", " [ Gioele Barabucci ]", " * Update upstream repo name from dracut-ng to dracut", "", " [ Luca Boccassi ]", " * Backport patches to fix autopkgtest with systemd v261", "", " [ Benjamin Drung ]", " * test(SYSTEMD-SYSEXT): use pre-pivot hook", " * Point homepage to upstream documentation page", "" ], "package": "dracut", "version": "111-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 18 Jun 2026 17:27:25 +0200" }, { "cves": [], "log": [ "", " * test: exit after create-root.sh has been run", "" ], "package": "dracut", "version": "111-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 06 May 2026 18:49:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Drop patches applied upstream", " * Refresh fix-iscsi-handle-empty-URI-in-firmware-boot-mode.patch", " * dracut-core: add new crypt-lib and systemd-sysusers-service modules", " * autopkgtest: add new 46-systemd-sysext test", " * Drop building dracut-test on 32-bit architectures and skip running", " upstream tests on armhf as autopkgtest (Closes: #1134874)", " * Update lintian overrides for lintian 2.135", "" ], "package": "dracut", "version": "111-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 02 May 2026 20:17:34 +0200" }, { "cves": [], "log": [ "", " * Cherry-pick upstream fixes:", " - feat(dracut): add module to add fw files from DT firmware-name properties", " - fix: avoid arguments for dot commands", " - test(ISCSI): wait for tgtd startup", " - fix(iscsi): handle empty URI in firmware boot mode (LP: #2121865)", " * dracut-core: add new devicetree-firmware module", "" ], "package": "dracut", "version": "110-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2121865 ], "author": "Benjamin Drung ", "date": "Tue, 14 Apr 2026 23:47:03 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "dracut-network", "from_version": { "source_package_name": "dracut", "source_package_version": "110-11", "version": "110-11" }, "to_version": { "source_package_name": "dracut", "source_package_version": "111-3", "version": "111-3" }, "cves": [], "launchpad_bugs_fixed": [ 2121865 ], "changes": [ { "cves": [], "log": [ "", " [ Gioele Barabucci ]", " * Update upstream repo name from dracut-ng to dracut", "", " [ Luca Boccassi ]", " * Backport patches to fix autopkgtest with systemd v261", "", " [ Benjamin Drung ]", " * test(SYSTEMD-SYSEXT): use pre-pivot hook", " * Point homepage to upstream documentation page", "" ], "package": "dracut", "version": "111-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Thu, 18 Jun 2026 17:27:25 +0200" }, { "cves": [], "log": [ "", " * test: exit after create-root.sh has been run", "" ], "package": "dracut", "version": "111-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Wed, 06 May 2026 18:49:20 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Drop patches applied upstream", " * Refresh fix-iscsi-handle-empty-URI-in-firmware-boot-mode.patch", " * dracut-core: add new crypt-lib and systemd-sysusers-service modules", " * autopkgtest: add new 46-systemd-sysext test", " * Drop building dracut-test on 32-bit architectures and skip running", " upstream tests on armhf as autopkgtest (Closes: #1134874)", " * Update lintian overrides for lintian 2.135", "" ], "package": "dracut", "version": "111-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Benjamin Drung ", "date": "Sat, 02 May 2026 20:17:34 +0200" }, { "cves": [], "log": [ "", " * Cherry-pick upstream fixes:", " - feat(dracut): add module to add fw files from DT firmware-name properties", " - fix: avoid arguments for dot commands", " - test(ISCSI): wait for tgtd startup", " - fix(iscsi): handle empty URI in firmware boot mode (LP: #2121865)", " * dracut-core: add new devicetree-firmware module", "" ], "package": "dracut", "version": "110-12", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [ 2121865 ], "author": "Benjamin Drung ", "date": "Tue, 14 Apr 2026 23:47:03 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "file", "from_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build2", "version": "1:5.46-5build2" }, "to_version": { "source_package_name": "file", "source_package_version": "1:5.47-4", "version": "1:5.47-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick two commits to detect some compression", " * Disable over-eagerly MSOOXML detection. Closes: #1138991", "" ], "package": "file", "version": "1:5.47-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sat, 06 Jun 2026 17:53:39 +0200" }, { "cves": [], "log": [ "", " * Finally upload 5.47 to unstable", " * Packaging cleanup", "" ], "package": "file", "version": "1:5.47-3", "urgency": "low", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sun, 31 May 2026 18:05:15 +0200" }, { "cves": [], "log": [ "", " * Upload to experimental - there might still be regressions", " * Cherry-pick fixes for", " * FTBFS on big endian", " * Mis-detecting of some PDF files when using libmagic", " * Fix typo in previous changelog entry", "" ], "package": "file", "version": "1:5.47-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sun, 24 May 2026 20:50:48 +0200" }, { "cves": [], "log": [ "", " * Upload to experimental", " * New upstream version 5.47", " Closes: #1106864, #1106866, #1115393, #1119250, #1122101, #1128210", " * Improve roff in documentation. Closes: #1134911", "" ], "package": "file", "version": "1:5.47-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sat, 16 May 2026 16:09:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "ftp", "from_version": { "source_package_name": "tnftp", "source_package_version": "20260211-1", "version": "20260211-1" }, "to_version": { "source_package_name": "tnftp", "source_package_version": "20260211-2", "version": "20260211-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: remove Priority: optional", " * d/watch: update Version: 5, not use Option pasv", " * d/copyright: fix old-fsf-address-in-copyright-file", "" ], "package": "tnftp", "version": "20260211-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "xiao sheng wen ", "date": "Mon, 30 Mar 2026 15:53:45 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "fuse3", "from_version": { "source_package_name": "fuse3", "source_package_version": "3.18.2-1", "version": "3.18.2-1" }, "to_version": { "source_package_name": "fuse3", "source_package_version": "3.18.2-2", "version": "3.18.2-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove adduser dependency (closes: #1128249).", " * Remove unnecessary dependency version constraints.", " * Do not suggest fuse package.", "" ], "package": "fuse3", "version": "3.18.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 25 Apr 2026 15:58:24 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-packagekitglib-1.0", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.5-1ubuntu1", "version": "1.3.5-1ubuntu1" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.6-1", "version": "1.3.6-1" }, "cves": [], "launchpad_bugs_fixed": [ 2148474 ], "changes": [ { "cves": [], "log": [ "", " * d/p: Honour allow_deps=false when removing packages.", " The PackageKit API allows restricting a RemovePackages transaction to", " prevent removing any dependent packages, but the APT backend was not", " honouring it.", " This could have lead to the accidental removal of system packages when", " trying to uninstall applications from simple PackageKit frontends.", " (LP: #2148474)", "" ], "package": "packagekit", "version": "1.3.5-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2148474 ], "author": "Alessandro Astone ", "date": "Tue, 09 Jun 2026 10:49:01 +0200" } ], "notes": null, "is_version_downgrade": true }, { "name": "groff-base", "from_version": { "source_package_name": "groff", "source_package_version": "1.23.0-10", "version": "1.23.0-10" }, "to_version": { "source_package_name": "groff", "source_package_version": "1.24.1-1", "version": "1.24.1-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/upstream/signing-key.asc: Add G. Branden Robinson's key.", " * New upstream release (closes: #1127419):", " - install-font: Add example script to make TrueType, OpenType, and", " PostScript Type1 fonts usable with groff (closes: #609549).", " - tbl: Fix staggering of text block cells (closes: #1038391).", " - mdoc: Fix `Nm` boldness (closes: #1059536).", " - troff: Refactor state machine to fix a double-free error (closes:", " #1082520).", " - Update getopt from gnulib (closes: #1124128).", " - libgroff: Don't ship a nilpotent \"charset.alias\" file (closes:", " #1124527).", " - pic: Fix stack overflow when 32nd macro argument is empty and more", " arguments follow (closes: #1125162).", " * d/patches/nroff-ifs.patch: Drop, since this was fixed in the version of", " dash in Debian 11 (bullseye).", " * Override Lintian national-encoding for some language support files.", " * d/copyright: Convert to copyright-format 1.0.", " * Override Lintian license-problem-font-adobe-copyrighted-fragment false", " positive, and add a corresponding entry to d/copyright.", "" ], "package": "groff", "version": "1.24.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Wed, 22 Apr 2026 14:57:41 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcap-ng0:armhf", "from_version": { "source_package_name": "libcap-ng", "source_package_version": "0.8.5-4build5", "version": "0.8.5-4build5" }, "to_version": { "source_package_name": "libcap-ng", "source_package_version": "0.9.3-1", "version": "0.9.3-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", " * d/patches", " - Rebase patches.", " - Drop patch included upstream.", " * Update symbols file.", " * Update Standards Version to 4.7.4, no changes needed.", " * d/copyright: Add section for new files.", "" ], "package": "libcap-ng", "version": "0.9.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Håvard F. Aasen ", "date": "Sat, 18 Apr 2026 08:24:19 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Rebase patches.", " * Add patch from upstream to move bash completion file to correct", " location.", "" ], "package": "libcap-ng", "version": "0.9.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Håvard F. Aasen ", "date": "Sun, 29 Mar 2026 19:42:29 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Rebase patches:", " - Drop cherry-picked patch included from upstream.", " * d/copyright:", " - Remove old FSF address.", " - Bump copyright year on myself.", " - Bump copyright year on upstream.", " * Remove RRR, value is now default.", " * Update Standards-Version to 4.7.3:", " - Remove priority, optional is now default.", " * Update d/watch to version 5.", " * Run wrap-and-sort with arguments 'asbkt'.", " * Use CI pipeline from file, not URL.", " * Add pkg-config as build dependency.", " * Add d/clean to remove file after build.", "" ], "package": "libcap-ng", "version": "0.9.1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Håvard F. Aasen ", "date": "Fri, 20 Feb 2026 11:00:07 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdrm-amdgpu1:armhf", "from_version": { "source_package_name": "libdrm", "source_package_version": "2.4.131-1", "version": "2.4.131-1" }, "to_version": { "source_package_name": "libdrm", "source_package_version": "2.4.134-1", "version": "2.4.134-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Timo Aaltonen ]", " * New upstream release.", " * symbols: Updated.", "", " [ Diederik de Haas ]", " * control: Update upstream Homepage URL", "", " [ Alessandro Astone ]", " * d/control: libdrm-dev depends on libdrm-intel1 on arm64", "" ], "package": "libdrm", "version": "2.4.134-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Wed, 03 Jun 2026 13:56:12 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdrm-common", "from_version": { "source_package_name": "libdrm", "source_package_version": "2.4.131-1", "version": "2.4.131-1" }, "to_version": { "source_package_name": "libdrm", "source_package_version": "2.4.134-1", "version": "2.4.134-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Timo Aaltonen ]", " * New upstream release.", " * symbols: Updated.", "", " [ Diederik de Haas ]", " * control: Update upstream Homepage URL", "", " [ Alessandro Astone ]", " * d/control: libdrm-dev depends on libdrm-intel1 on arm64", "" ], "package": "libdrm", "version": "2.4.134-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Wed, 03 Jun 2026 13:56:12 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdrm2:armhf", "from_version": { "source_package_name": "libdrm", "source_package_version": "2.4.131-1", "version": "2.4.131-1" }, "to_version": { "source_package_name": "libdrm", "source_package_version": "2.4.134-1", "version": "2.4.134-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Timo Aaltonen ]", " * New upstream release.", " * symbols: Updated.", "", " [ Diederik de Haas ]", " * control: Update upstream Homepage URL", "", " [ Alessandro Astone ]", " * d/control: libdrm-dev depends on libdrm-intel1 on arm64", "" ], "package": "libdrm", "version": "2.4.134-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Timo Aaltonen ", "date": "Wed, 03 Jun 2026 13:56:12 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libdw1t64:armhf", "from_version": { "source_package_name": "elfutils", "source_package_version": "0.194-4", "version": "0.194-4" }, "to_version": { "source_package_name": "elfutils", "source_package_version": "0.195-1", "version": "0.195-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version.", " * Drop KFreeBSD patches.", " * Drop the perf_regs patch.", " * Refresh patches.", " * Bump standards version.", "" ], "package": "elfutils", "version": "0.195-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 17:20:17 +0200" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk.", "" ], "package": "elfutils", "version": "0.194+20260315-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 11:20:32 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libedit2:armhf", "from_version": { "source_package_name": "libedit", "source_package_version": "3.1-20251016-1", "version": "3.1-20251016-1" }, "to_version": { "source_package_name": "libedit", "source_package_version": "3.1-20260512-1", "version": "3.1-20260512-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " * Update watch file format version to 5.", " * Remove redundant Priority: optional from source stanza.", "" ], "package": "libedit", "version": "3.1-20260512-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sylvestre Ledru ", "date": "Mon, 25 May 2026 08:46:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libelf1t64:armhf", "from_version": { "source_package_name": "elfutils", "source_package_version": "0.194-4", "version": "0.194-4" }, "to_version": { "source_package_name": "elfutils", "source_package_version": "0.195-1", "version": "0.195-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version.", " * Drop KFreeBSD patches.", " * Drop the perf_regs patch.", " * Refresh patches.", " * Bump standards version.", "" ], "package": "elfutils", "version": "0.195-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 17:20:17 +0200" }, { "cves": [], "log": [ "", " * Snapshot, taken from the trunk.", "" ], "package": "elfutils", "version": "0.194+20260315-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Sun, 15 Mar 2026 11:20:32 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libevdev2:armhf", "from_version": { "source_package_name": "libevdev", "source_package_version": "1.13.6+dfsg-1", "version": "1.13.6+dfsg-1" }, "to_version": { "source_package_name": "libevdev", "source_package_version": "1.13.6+dfsg-2", "version": "1.13.6+dfsg-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Switch to debhelper compatibility level 14.", " * Fix CHECK_LIBS to avoid running unprefixed pkg-config.", " * Drop “Priority: optional” since it’s now the default.", " * Standards-Version 4.7.4, no further change required.", " * Update debian/watch to version 5.", "" ], "package": "libevdev", "version": "1.13.6+dfsg-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stephen Kitt ", "date": "Tue, 14 Apr 2026 21:10:32 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfreetype6:armhf", "from_version": { "source_package_name": "freetype", "source_package_version": "2.14.2+dfsg-1", "version": "2.14.2+dfsg-1" }, "to_version": { "source_package_name": "freetype", "source_package_version": "2.14.3+dfsg-1", "version": "2.14.3+dfsg-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version 2.14.3.", " * debian/control: Raise Standards-Version to 4.7.4 (no changes needed).", " * debian/copyright: Update for FreeType 2.14.3.", "" ], "package": "freetype", "version": "2.14.3+dfsg-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Hugh McMaster ", "date": "Fri, 03 Apr 2026 18:04:32 +1100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfuse3-4:armhf", "from_version": { "source_package_name": "fuse3", "source_package_version": "3.18.2-1", "version": "3.18.2-1" }, "to_version": { "source_package_name": "fuse3", "source_package_version": "3.18.2-2", "version": "3.18.2-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove adduser dependency (closes: #1128249).", " * Remove unnecessary dependency version constraints.", " * Do not suggest fuse package.", "" ], "package": "fuse3", "version": "3.18.2-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 25 Apr 2026 15:58:24 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgcrypt20:armhf", "from_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.12.0-2", "version": "1.12.0-2" }, "to_version": { "source_package_name": "libgcrypt20", "source_package_version": "1.12.2-1ubuntu1", "version": "1.12.2-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2154120 ], "changes": [ { "cves": [], "log": [ "", " * d/p/riscv-fix-vlen-greater-128: Fix computing on RISC-V ", " with VLEN > 128 (LP: #2154120)", "" ], "package": "libgcrypt20", "version": "1.12.2-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2154120 ], "author": "Valentin Haudiquet ", "date": "Fri, 29 May 2026 10:44:08 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "libgcrypt20", "version": "1.12.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Tue, 21 Apr 2026 19:23:09 +0200" }, { "cves": [], "log": [ "", " * Upload to unstable.", "" ], "package": "libgcrypt20", "version": "1.12.1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Mon, 09 Mar 2026 18:14:34 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", " + Drop patches.", "" ], "package": "libgcrypt20", "version": "1.12.1-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Sat, 21 Feb 2026 11:40:56 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libicu78:armhf", "from_version": { "source_package_name": "icu", "source_package_version": "78.2-2ubuntu1", "version": "78.2-2ubuntu1" }, "to_version": { "source_package_name": "icu", "source_package_version": "78.3-2ubuntu1", "version": "78.3-2ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/p/disable-precision-fpmath-tests-on-i386.patch: add a patch to disable", " precision checking tests on i386 where an imprecise FPU hardware is used", "" ], "package": "icu", "version": "78.3-2ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 11 May 2026 11:53:22 +0200" }, { "cves": [], "log": [ "", " [ Michael Banck ]", " * Fix FTBFS on hurd-amd64 (closes: #1136098).", "", " [ Laszlo Boszormenyi (GCS) ]", " * Honor nocheck in DEB_BUILD_OPTIONS (closes: #1136112).", "" ], "package": "icu", "version": "78.3-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Sat, 09 May 2026 16:50:20 +0000" }, { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - d/p/disable-precision-fpmath-tests-on-i386.patch: add a patch to disable", " precision checking tests on i386 where an imprecise FPU hardware is used", "" ], "package": "icu", "version": "78.3-1ubuntu1", "urgency": "low", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Mon, 11 May 2026 11:47:23 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "icu", "version": "78.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Laszlo Boszormenyi (GCS) ", "date": "Wed, 18 Mar 2026 17:47:53 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmagic-mgc", "from_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build2", "version": "1:5.46-5build2" }, "to_version": { "source_package_name": "file", "source_package_version": "1:5.47-4", "version": "1:5.47-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick two commits to detect some compression", " * Disable over-eagerly MSOOXML detection. Closes: #1138991", "" ], "package": "file", "version": "1:5.47-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sat, 06 Jun 2026 17:53:39 +0200" }, { "cves": [], "log": [ "", " * Finally upload 5.47 to unstable", " * Packaging cleanup", "" ], "package": "file", "version": "1:5.47-3", "urgency": "low", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sun, 31 May 2026 18:05:15 +0200" }, { "cves": [], "log": [ "", " * Upload to experimental - there might still be regressions", " * Cherry-pick fixes for", " * FTBFS on big endian", " * Mis-detecting of some PDF files when using libmagic", " * Fix typo in previous changelog entry", "" ], "package": "file", "version": "1:5.47-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sun, 24 May 2026 20:50:48 +0200" }, { "cves": [], "log": [ "", " * Upload to experimental", " * New upstream version 5.47", " Closes: #1106864, #1106866, #1115393, #1119250, #1122101, #1128210", " * Improve roff in documentation. Closes: #1134911", "" ], "package": "file", "version": "1:5.47-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sat, 16 May 2026 16:09:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmagic1t64:armhf", "from_version": { "source_package_name": "file", "source_package_version": "1:5.46-5build2", "version": "1:5.46-5build2" }, "to_version": { "source_package_name": "file", "source_package_version": "1:5.47-4", "version": "1:5.47-4" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Cherry-pick two commits to detect some compression", " * Disable over-eagerly MSOOXML detection. Closes: #1138991", "" ], "package": "file", "version": "1:5.47-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sat, 06 Jun 2026 17:53:39 +0200" }, { "cves": [], "log": [ "", " * Finally upload 5.47 to unstable", " * Packaging cleanup", "" ], "package": "file", "version": "1:5.47-3", "urgency": "low", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sun, 31 May 2026 18:05:15 +0200" }, { "cves": [], "log": [ "", " * Upload to experimental - there might still be regressions", " * Cherry-pick fixes for", " * FTBFS on big endian", " * Mis-detecting of some PDF files when using libmagic", " * Fix typo in previous changelog entry", "" ], "package": "file", "version": "1:5.47-2", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sun, 24 May 2026 20:50:48 +0200" }, { "cves": [], "log": [ "", " * Upload to experimental", " * New upstream version 5.47", " Closes: #1106864, #1106866, #1115393, #1119250, #1122101, #1128210", " * Improve roff in documentation. Closes: #1134911", "" ], "package": "file", "version": "1:5.47-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Christoph Biedl ", "date": "Sat, 16 May 2026 16:09:24 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmbim-glib4:armhf", "from_version": { "source_package_name": "libmbim", "source_package_version": "1.32.0-2ubuntu1", "version": "1.32.0-2ubuntu1" }, "to_version": { "source_package_name": "libmbim", "source_package_version": "1.34.0-1", "version": "1.34.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " * debian/libmbim-glib4.symbols: update for new upstream release", " * d/control: drop now-unneeded Priority field", " `Priority: optional` is the default since Debian policy 4.7.3, let's", " drop it and bump Standards-Version accordingly.", "" ], "package": "libmbim", "version": "1.34.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arnaud Ferraris ", "date": "Mon, 19 Jan 2026 23:01:48 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmbim-proxy", "from_version": { "source_package_name": "libmbim", "source_package_version": "1.32.0-2ubuntu1", "version": "1.32.0-2ubuntu1" }, "to_version": { "source_package_name": "libmbim", "source_package_version": "1.34.0-1", "version": "1.34.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " * debian/libmbim-glib4.symbols: update for new upstream release", " * d/control: drop now-unneeded Priority field", " `Priority: optional` is the default since Debian policy 4.7.3, let's", " drop it and bump Standards-Version accordingly.", "" ], "package": "libmbim", "version": "1.34.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arnaud Ferraris ", "date": "Mon, 19 Jan 2026 23:01:48 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmbim-utils", "from_version": { "source_package_name": "libmbim", "source_package_version": "1.32.0-2ubuntu1", "version": "1.32.0-2ubuntu1" }, "to_version": { "source_package_name": "libmbim", "source_package_version": "1.34.0-1", "version": "1.34.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", " * debian/libmbim-glib4.symbols: update for new upstream release", " * d/control: drop now-unneeded Priority field", " `Priority: optional` is the default since Debian policy 4.7.3, let's", " drop it and bump Standards-Version accordingly.", "" ], "package": "libmbim", "version": "1.34.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arnaud Ferraris ", "date": "Mon, 19 Jan 2026 23:01:48 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libopeniscsiusr", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu3", "version": "2.1.11-3ubuntu3" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-5ubuntu1", "version": "2.1.11-5ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153177 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153177). Remaining changes:", " - d/README.Debian, d/extra/startup-checks.sh, d/open-iscsi.postinst:", " Apply Ubuntu branding to iqn initiator name", " - debian/tests: Add Ubuntu autopkgtest suite:", " + d/t/README-boot-test.md: document test design", " + d/t/control: register testsuite", " + d/t/get-image: helper to fetch an ubuntu cloud image", " + d/t/patch-image: helper to modify an ubuntu cloud image", " - don't handle 'migration-reference/0' as a package name", " - mount autopkgtest tmp folder when needed", " - Ignore binaries with Architecture: amd64 of source packages to fix", " autopkgtest failures", " + d/test-open-iscsi.py, d/t/testlib.py: various qa regression tests", " + d/t/testsuite: helper to invoke qa regression tests", " + d/t/tgt-boot-test: test using tgt to boot from iscsi", " + d/t/xkvm: helper to spawn a VM", " + d/t/install: fixed test by forcing a package reinstall so that", " /etc/iscsi/initiatorname.iscsi can have expected value from the", " postinst script", " - d/extra/initramfs/local-top/iscsi: add a flag to skip network", " configuration when iscsi is set to 'auto' but no iBFT data is present.", " Thanks to Alec Warren . (LP 2098515)", " - d/t/control: Add test-dependency on 'fdisk' to avoid 'patch-image'", " failure in autopkgtest (LP 2095584)", " - Resize cloud image used for testing to avoid out-of-space errors", " (LP 2139084):", " + d/t/test-open-iscsi.py: increase the size of the downloaded image", " + d/t/control: add cloud-guest-utils to dependencies due to", " growpart", " - d/t/patch-image: also look for arch all packages (LP 2143886)", "" ], "package": "open-iscsi", "version": "2.1.11-5ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153177 ], "author": "Hector Cao ", "date": "Mon, 25 May 2026 15:29:23 +0200" }, { "cves": [], "log": [ "", " * [dc8b039] open-iscsi: add Depends: procps for pidof", "" ], "package": "open-iscsi", "version": "2.1.11-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Fri, 08 May 2026 12:19:57 +0200" }, { "cves": [], "log": [ "", " * Team upload", " * [b7e061c] cherry-pick fix for discovering 'static' nodes (Closes: #1129063)", "" ], "package": "open-iscsi", "version": "2.1.11-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Fabian Grünbichler ", "date": "Mon, 02 Mar 2026 09:39:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libp11-kit0:armhf", "from_version": { "source_package_name": "p11-kit", "source_package_version": "0.26.2-2", "version": "0.26.2-2" }, "to_version": { "source_package_name": "p11-kit", "source_package_version": "0.26.2-3", "version": "0.26.2-3" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Fix autopoint error with gettext 1.0. (Closes: #1137421)", "" ], "package": "p11-kit", "version": "0.26.2-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Andreas Metzler ", "date": "Wed, 10 Jun 2026 18:23:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpackagekit-glib2-18:armhf", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.5-1ubuntu1", "version": "1.3.5-1ubuntu1" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.6-1", "version": "1.3.6-1" }, "cves": [], "launchpad_bugs_fixed": [ 2148474 ], "changes": [ { "cves": [], "log": [ "", " * d/p: Honour allow_deps=false when removing packages.", " The PackageKit API allows restricting a RemovePackages transaction to", " prevent removing any dependent packages, but the APT backend was not", " honouring it.", " This could have lead to the accidental removal of system packages when", " trying to uninstall applications from simple PackageKit frontends.", " (LP: #2148474)", "" ], "package": "packagekit", "version": "1.3.5-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2148474 ], "author": "Alessandro Astone ", "date": "Tue, 09 Jun 2026 10:49:01 +0200" } ], "notes": null, "is_version_downgrade": true }, { "name": "libparted2t64:armhf", "from_version": { "source_package_name": "parted", "source_package_version": "3.6-6", "version": "3.6-6" }, "to_version": { "source_package_name": "parted", "source_package_version": "3.7-1", "version": "3.7-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Drop \"Rules-Requires-Root: no\", default as of dpkg-dev 1.22.13.", " * debian/upstream/signing-key.asc: Update self-signatures.", " * New upstream release:", " - libparted: Do not detect ext4 without journal as ext2 (closes:", " #1103454).", " * Ship Doxygen-generated API documentation (closes: #1119679).", " * debian/copyright: Convert to copyright-format 1.0.", "" ], "package": "parted", "version": "3.7-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Tue, 14 Apr 2026 13:03:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpci3:armhf", "from_version": { "source_package_name": "pciutils", "source_package_version": "1:3.14.0-1build2", "version": "1:3.14.0-1build2" }, "to_version": { "source_package_name": "pciutils", "source_package_version": "1:3.15.0-2", "version": "1:3.15.0-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove obsolete lintian override for removed exit-in-shared-library tag.", " * Add bug-script for pciutils to recommend attaching «lspci -vvxxx» output", " as requested by upstream.", " * Add patch to remove «allows …» usage in man pages, warned by lintian.", " * Add patch to add groff hint to run the tbl preprocessor for pcilmr(8),", " warned by lintian.", "" ], "package": "pciutils", "version": "1:3.15.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Tue, 12 May 2026 06:13:47 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Switch to debian/watch version 5.", " * Add spaces around make assignment operators to distinguish from shell ones.", " * Switch to Standards-Version 4.7.4 (no changes needed).", " * Remove build dependency on debhelper (>= 13.10) implied by", " debhelper-compat (= 13) since Debian bookworm.", " * Remove versioned Build-Depends on dpkg-dev, satisfied since Debian trixie.", " * Refactor common description into a source stanza Description field.", " * Update copyright years.", "" ], "package": "pciutils", "version": "1:3.15.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Wed, 08 Apr 2026 02:38:33 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libperl5.40:armhf", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-8", "version": "5.40.1-8" }, "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "log": [ "", " * [SECURITY] backport various fixes from upstream:", " + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.", " (Closes: #1138863)", " + CVE-2026-7010: CRLF-validation in HTTP::Tiny.", " (Closes: #1138858)", " + CVE-2026-8376: Buffer overflow in Perl_study_chunk.", " (Closes: #1137345)", " + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.", " (Closes: #1138856)", " + CVE-2026-48961: crash in zipdetails.", " (Closes: #1138855)", " + CVE-2026-48962: code execution in IO-Compress via output globs.", " (Closes: #1138854)", " + buffer overflows in pack().", " (Closes: #1138905)", " + buffer overflow in Storable.", " (Closes: #1138906)", "" ], "package": "perl", "version": "5.40.1-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sat, 06 Jun 2026 17:22:29 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14:armhf", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.6-1", "version": "3.14.6-1" }, "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" }, { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" } ], "log": [ "", " * Python 3.14.6 release.", " - Avoid crash decompressing untrusted bz2 data. CVE-2026-9669.", " - Don't trust server-provided passive connection addresses in ftplib.", " CVE-2026-8328.", " - Don't allow untrusted tarfile extraction to write outside the", " destination. CVE-2026-7774.", " - Protects against DoS in expat XML parsing. CVE-2026-7210.", " - Avoid DoS in unicode normalization. CVE-2026-3276.", "", " [ Colin Watson ]", " * Drop libnsl-dev build-dependency, which is superfluous since the nis", " module was removed in Python 3.13.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop mention of gdbinit from README.debug. Closes: #1109449.", " * Tidy up python3.X-config manpage. Closes: #1101810.", " * Build with -fno-thread-jumps, instead of -O1 on m68k. Closes: #1139593", "" ], "package": "python3.14", "version": "3.14.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 10 Jun 2026 14:54:31 -0400" }, { "cves": [ { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "log": [ "", " * Python 3.14.5 release.", " Fixes:", " - CVE-2026-5713: Validate remote debug offset tables on load.", " - CVE-2026-4786: Fix webbrowser %action substitution bypass of dash-prefix", " check.", " - CVE-2026-1502: Reject CR/LF in HTTP tunnel request headers.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Update build-details path to include abiflags, and move it to", " libpython3.14-minimal / libpython3.14-dbg.", " * Patch: Fix test_pyexpat on i386. (Closes: #1135052)", " * Patch: Generate the correct base_interpreter in build-details on debug", " builds.", "", " [ Matthias Klose ]", " * Run the tests with -j 2 instead of running sequentially.", "" ], "package": "python3.14", "version": "3.14.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 10 May 2026 21:38:08 -0400" }, { "cves": [], "log": [ "", " * Python 3.14.5 release candidate.", " * Skip pyexpat.test_deeply_nested_content_model on i386.", " * Refresh patches.", "" ], "package": "python3.14", "version": "3.14.5~rc1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 06 May 2026 06:21:50 +0200" }, { "cves": [], "log": [ "", " * Install _sysconfig_vars.json for the debug build.", " * d/t/control: Add python-tk to failing-tests-dbg dependencies.", " * d/t/testsuite-dbg: Don't run test_build_details, the build-details", " file for the debug interpreter is not installed.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.4-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 12:14:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14-minimal:armhf", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.6-1", "version": "3.14.6-1" }, "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" }, { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" } ], "log": [ "", " * Python 3.14.6 release.", " - Avoid crash decompressing untrusted bz2 data. CVE-2026-9669.", " - Don't trust server-provided passive connection addresses in ftplib.", " CVE-2026-8328.", " - Don't allow untrusted tarfile extraction to write outside the", " destination. CVE-2026-7774.", " - Protects against DoS in expat XML parsing. CVE-2026-7210.", " - Avoid DoS in unicode normalization. CVE-2026-3276.", "", " [ Colin Watson ]", " * Drop libnsl-dev build-dependency, which is superfluous since the nis", " module was removed in Python 3.13.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop mention of gdbinit from README.debug. Closes: #1109449.", " * Tidy up python3.X-config manpage. Closes: #1101810.", " * Build with -fno-thread-jumps, instead of -O1 on m68k. Closes: #1139593", "" ], "package": "python3.14", "version": "3.14.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 10 Jun 2026 14:54:31 -0400" }, { "cves": [ { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "log": [ "", " * Python 3.14.5 release.", " Fixes:", " - CVE-2026-5713: Validate remote debug offset tables on load.", " - CVE-2026-4786: Fix webbrowser %action substitution bypass of dash-prefix", " check.", " - CVE-2026-1502: Reject CR/LF in HTTP tunnel request headers.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Update build-details path to include abiflags, and move it to", " libpython3.14-minimal / libpython3.14-dbg.", " * Patch: Fix test_pyexpat on i386. (Closes: #1135052)", " * Patch: Generate the correct base_interpreter in build-details on debug", " builds.", "", " [ Matthias Klose ]", " * Run the tests with -j 2 instead of running sequentially.", "" ], "package": "python3.14", "version": "3.14.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 10 May 2026 21:38:08 -0400" }, { "cves": [], "log": [ "", " * Python 3.14.5 release candidate.", " * Skip pyexpat.test_deeply_nested_content_model on i386.", " * Refresh patches.", "" ], "package": "python3.14", "version": "3.14.5~rc1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 06 May 2026 06:21:50 +0200" }, { "cves": [], "log": [ "", " * Install _sysconfig_vars.json for the debug build.", " * d/t/control: Add python-tk to failing-tests-dbg dependencies.", " * d/t/testsuite-dbg: Don't run test_build_details, the build-details", " file for the debug interpreter is not installed.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.4-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 12:14:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.14-stdlib:armhf", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.6-1", "version": "3.14.6-1" }, "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" }, { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" } ], "log": [ "", " * Python 3.14.6 release.", " - Avoid crash decompressing untrusted bz2 data. CVE-2026-9669.", " - Don't trust server-provided passive connection addresses in ftplib.", " CVE-2026-8328.", " - Don't allow untrusted tarfile extraction to write outside the", " destination. CVE-2026-7774.", " - Protects against DoS in expat XML parsing. CVE-2026-7210.", " - Avoid DoS in unicode normalization. CVE-2026-3276.", "", " [ Colin Watson ]", " * Drop libnsl-dev build-dependency, which is superfluous since the nis", " module was removed in Python 3.13.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop mention of gdbinit from README.debug. Closes: #1109449.", " * Tidy up python3.X-config manpage. Closes: #1101810.", " * Build with -fno-thread-jumps, instead of -O1 on m68k. Closes: #1139593", "" ], "package": "python3.14", "version": "3.14.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 10 Jun 2026 14:54:31 -0400" }, { "cves": [ { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "log": [ "", " * Python 3.14.5 release.", " Fixes:", " - CVE-2026-5713: Validate remote debug offset tables on load.", " - CVE-2026-4786: Fix webbrowser %action substitution bypass of dash-prefix", " check.", " - CVE-2026-1502: Reject CR/LF in HTTP tunnel request headers.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Update build-details path to include abiflags, and move it to", " libpython3.14-minimal / libpython3.14-dbg.", " * Patch: Fix test_pyexpat on i386. (Closes: #1135052)", " * Patch: Generate the correct base_interpreter in build-details on debug", " builds.", "", " [ Matthias Klose ]", " * Run the tests with -j 2 instead of running sequentially.", "" ], "package": "python3.14", "version": "3.14.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 10 May 2026 21:38:08 -0400" }, { "cves": [], "log": [ "", " * Python 3.14.5 release candidate.", " * Skip pyexpat.test_deeply_nested_content_model on i386.", " * Refresh patches.", "" ], "package": "python3.14", "version": "3.14.5~rc1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 06 May 2026 06:21:50 +0200" }, { "cves": [], "log": [ "", " * Install _sysconfig_vars.json for the debug build.", " * d/t/control: Add python-tk to failing-tests-dbg dependencies.", " * d/t/testsuite-dbg: Don't run test_build_details, the build-details", " file for the debug interpreter is not installed.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.4-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 12:14:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "libselinux1:armhf", "from_version": { "source_package_name": "libselinux", "source_package_version": "3.9-4build1", "version": "3.9-4build1" }, "to_version": { "source_package_name": "libselinux", "source_package_version": "3.10-1", "version": "3.10-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version 3.10", "", " * d/watch: rewrite in version 5", " * d/u/signing-key.asc: add key from Jason Zaman", " * d/patches:", " - rebase and drop upstream applied patch", " - fix FTBFS on alpha", " * d/libselinux1.symbols: add selinux_restorecon_get_relabeled_files(3)", "" ], "package": "libselinux", "version": "3.10-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christian Göttsche ", "date": "Tue, 10 Feb 2026 23:01:23 +0100" }, { "cves": [], "log": [ "", " * d/changelog: fix typo", " * d/control:", " - drop priority field with default value", " - bump Standards-Version to 4.7.3 (no further changes)", " - drop deprecated and unused XS-Ruby-Versions field", " * d/patches: build shared libraries with -fPIC (Closes: #1123905)", " * d/copyright: update debian/* section", "" ], "package": "libselinux", "version": "3.9-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Christian Göttsche ", "date": "Sun, 01 Feb 2026 19:49:54 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libssh2-1t64:armhf", "from_version": { "source_package_name": "libssh2", "source_package_version": "1.11.1-1build2", "version": "1.11.1-1build2" }, "to_version": { "source_package_name": "libssh2", "source_package_version": "1.11.1-3", "version": "1.11.1-3" }, "cves": [ { "cve": "CVE-2026-7598", "url": "https://ubuntu.com/security/CVE-2026-7598", "cve_description": "A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2026-05-01 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-7598", "url": "https://ubuntu.com/security/CVE-2026-7598", "cve_description": "A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.", "cve_priority": "medium", "cve_public_date": "2026-05-01 22:16:00 UTC" } ], "log": [ "", " * d/patches: Fix integer overflow in userauth_password", " Fixes CVE-2026-7598 (Closes: #1135647)", " * d/control: Update standards version to 4.7.4", "" ], "package": "libssh2", "version": "1.11.1-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nicolas Mora ", "date": "Mon, 04 May 2026 07:35:17 -0400" }, { "cves": [], "log": [ "", " * Fix ftbfs, thanks Collin Watson (Closes: #1129134)", " * d/control: Remove Priority option", " * d/control: Remove Rules-Requires-Root option", " * d/control: Update standards version to 4.7.3", "" ], "package": "libssh2", "version": "1.11.1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Nicolas Mora ", "date": "Wed, 18 Mar 2026 17:01:10 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtraceevent1:armhf", "from_version": { "source_package_name": "libtraceevent", "source_package_version": "1:1.8.7-1", "version": "1:1.8.7-1" }, "to_version": { "source_package_name": "libtraceevent", "source_package_version": "1:1.9.0-2", "version": "1:1.9.0-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Apply upstream fix for i386 test failure.", "" ], "package": "libtraceevent", "version": "1:1.9.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sudip Mukherjee ", "date": "Mon, 15 Jun 2026 20:49:30 +0100" }, { "cves": [], "log": [ "", " * New upstream version 1.9.0", " - Update copyright.", " - skip btf_read test.", " - Does not work in chroot.", " - Update symbols.", " * Update Standards-Version to 4.7.4", "" ], "package": "libtraceevent", "version": "1:1.9.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sudip Mukherjee ", "date": "Tue, 26 May 2026 19:57:42 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtraceevent1-plugin:armhf", "from_version": { "source_package_name": "libtraceevent", "source_package_version": "1:1.8.7-1", "version": "1:1.8.7-1" }, "to_version": { "source_package_name": "libtraceevent", "source_package_version": "1:1.9.0-2", "version": "1:1.9.0-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Apply upstream fix for i386 test failure.", "" ], "package": "libtraceevent", "version": "1:1.9.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sudip Mukherjee ", "date": "Mon, 15 Jun 2026 20:49:30 +0100" }, { "cves": [], "log": [ "", " * New upstream version 1.9.0", " - Update copyright.", " - skip btf_read test.", " - Does not work in chroot.", " - Update symbols.", " * Update Standards-Version to 4.7.4", "" ], "package": "libtraceevent", "version": "1:1.9.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sudip Mukherjee ", "date": "Tue, 26 May 2026 19:57:42 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libtracefs1:armhf", "from_version": { "source_package_name": "libtracefs", "source_package_version": "1.8.2-1ubuntu1", "version": "1.8.2-1ubuntu1" }, "to_version": { "source_package_name": "libtracefs", "source_package_version": "1.8.3-1ubuntu1", "version": "1.8.3-1ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153330, 2147639 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153330). Remaining changes:", " - Only use online CPUs during tests", " + d/p/testsuite-use-only-online-cpus.patch", " * Reworked changes:", " - Run the upstream test suite during autopkgtest (requires root and VM)", " (LP #2055309)", " * New patches:", " - Cherry-pick upstream patch libtracefs: Fix tracefs_dynevent_destroy_all()", " - libtracefs .gitignore: only ignore patches/ at top level", " - libtracefs utest: Update kprobe test to use filename_mkdirat", " (LP: #2147639)", " - libtracefs: Use LIBTRACEFS_STATIC for utest", " - libtracefs: Support EXTRA_LIBS for utest", " - add find_debug_tracing_dir to tracefs-utest", " * Bump libtraceevent-dev dependency to 1:1.8.0", " * Let libtracefs-dev depend on libtraceevent-dev", "" ], "package": "libtracefs", "version": "1.8.3-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153330, 2147639 ], "author": "Benjamin Drung ", "date": "Fri, 05 Jun 2026 17:22:41 +0200" }, { "cves": [], "log": [ "", " * New upstream version 1.8.3", " * Update Standards-Version to 4.7.3", "" ], "package": "libtracefs", "version": "1.8.3-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sudip Mukherjee ", "date": "Wed, 28 Jan 2026 18:50:11 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libusb-1.0-0:armhf", "from_version": { "source_package_name": "libusb-1.0", "source_package_version": "2:1.0.29-2build1", "version": "2:1.0.29-2build1" }, "to_version": { "source_package_name": "libusb-1.0", "source_package_version": "2:1.0.30-1", "version": "2:1.0.30-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release", "" ], "package": "libusb-1.0", "version": "2:1.0.30-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Mon, 18 May 2026 22:08:37 +0200" }, { "cves": [], "log": [ "", " * New upstream release candidate", "" ], "package": "libusb-1.0", "version": "2:1.0.30~rc2-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Sun, 03 May 2026 21:46:32 +0200" }, { "cves": [], "log": [ "", " * New upstream release candidate", " * Update symbols file", " * Replace pkg-config test-dependency by pkgconf", " * Bump Standards-Version to 4.7.3 (no changes)", " * Drop Rules-Requires-Root field from debian/control, now obsolete", " * Drop Priority field from debian/control, now redudant with the default", " value", " * Update debian/watch to version 5", "" ], "package": "libusb-1.0", "version": "2:1.0.30~rc1-1", "urgency": "medium", "distributions": "experimental", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Fri, 27 Feb 2026 22:59:30 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libwrap0:armhf", "from_version": { "source_package_name": "tcp-wrappers", "source_package_version": "7.6.q-36build2", "version": "7.6.q-36build2" }, "to_version": { "source_package_name": "tcp-wrappers", "source_package_version": "7.6.q-37", "version": "7.6.q-37" }, "cves": [], "launchpad_bugs_fixed": [ 2132257 ], "changes": [ { "cves": [], "log": [ "", " * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)", "" ], "package": "tcp-wrappers", "version": "7.6.q-36build2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2132257 ], "author": "Sebastien Bacher ", "date": "Mon, 02 Feb 2026 21:46:55 +0100" }, { "cves": [], "log": [ "", " * Rebuild to include updated RISC-V base ISA RVA23", "" ], "package": "tcp-wrappers", "version": "7.6.q-36build1", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Heinrich Schuchardt ", "date": "Sat, 06 Sep 2025 15:35:05 +0000" } ], "notes": null, "is_version_downgrade": true }, { "name": "open-iscsi", "from_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-3ubuntu3", "version": "2.1.11-3ubuntu3" }, "to_version": { "source_package_name": "open-iscsi", "source_package_version": "2.1.11-5ubuntu1", "version": "2.1.11-5ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2153177 ], "changes": [ { "cves": [], "log": [ "", " * Merge with Debian unstable (LP: #2153177). Remaining changes:", " - d/README.Debian, d/extra/startup-checks.sh, d/open-iscsi.postinst:", " Apply Ubuntu branding to iqn initiator name", " - debian/tests: Add Ubuntu autopkgtest suite:", " + d/t/README-boot-test.md: document test design", " + d/t/control: register testsuite", " + d/t/get-image: helper to fetch an ubuntu cloud image", " + d/t/patch-image: helper to modify an ubuntu cloud image", " - don't handle 'migration-reference/0' as a package name", " - mount autopkgtest tmp folder when needed", " - Ignore binaries with Architecture: amd64 of source packages to fix", " autopkgtest failures", " + d/test-open-iscsi.py, d/t/testlib.py: various qa regression tests", " + d/t/testsuite: helper to invoke qa regression tests", " + d/t/tgt-boot-test: test using tgt to boot from iscsi", " + d/t/xkvm: helper to spawn a VM", " + d/t/install: fixed test by forcing a package reinstall so that", " /etc/iscsi/initiatorname.iscsi can have expected value from the", " postinst script", " - d/extra/initramfs/local-top/iscsi: add a flag to skip network", " configuration when iscsi is set to 'auto' but no iBFT data is present.", " Thanks to Alec Warren . (LP 2098515)", " - d/t/control: Add test-dependency on 'fdisk' to avoid 'patch-image'", " failure in autopkgtest (LP 2095584)", " - Resize cloud image used for testing to avoid out-of-space errors", " (LP 2139084):", " + d/t/test-open-iscsi.py: increase the size of the downloaded image", " + d/t/control: add cloud-guest-utils to dependencies due to", " growpart", " - d/t/patch-image: also look for arch all packages (LP 2143886)", "" ], "package": "open-iscsi", "version": "2.1.11-5ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2153177 ], "author": "Hector Cao ", "date": "Mon, 25 May 2026 15:29:23 +0200" }, { "cves": [], "log": [ "", " * [dc8b039] open-iscsi: add Depends: procps for pidof", "" ], "package": "open-iscsi", "version": "2.1.11-5", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Chris Hofstaedtler ", "date": "Fri, 08 May 2026 12:19:57 +0200" }, { "cves": [], "log": [ "", " * Team upload", " * [b7e061c] cherry-pick fix for discovering 'static' nodes (Closes: #1129063)", "" ], "package": "open-iscsi", "version": "2.1.11-4", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Fabian Grünbichler ", "date": "Mon, 02 Mar 2026 09:39:46 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "packagekit", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.5-1ubuntu1", "version": "1.3.5-1ubuntu1" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.6-1", "version": "1.3.6-1" }, "cves": [], "launchpad_bugs_fixed": [ 2148474 ], "changes": [ { "cves": [], "log": [ "", " * d/p: Honour allow_deps=false when removing packages.", " The PackageKit API allows restricting a RemovePackages transaction to", " prevent removing any dependent packages, but the APT backend was not", " honouring it.", " This could have lead to the accidental removal of system packages when", " trying to uninstall applications from simple PackageKit frontends.", " (LP: #2148474)", "" ], "package": "packagekit", "version": "1.3.5-1ubuntu1", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2148474 ], "author": "Alessandro Astone ", "date": "Tue, 09 Jun 2026 10:49:01 +0200" } ], "notes": null, "is_version_downgrade": true }, { "name": "parted", "from_version": { "source_package_name": "parted", "source_package_version": "3.6-6", "version": "3.6-6" }, "to_version": { "source_package_name": "parted", "source_package_version": "3.7-1", "version": "3.7-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Drop \"Rules-Requires-Root: no\", default as of dpkg-dev 1.22.13.", " * debian/upstream/signing-key.asc: Update self-signatures.", " * New upstream release:", " - libparted: Do not detect ext4 without journal as ext2 (closes:", " #1103454).", " * Ship Doxygen-generated API documentation (closes: #1119679).", " * debian/copyright: Convert to copyright-format 1.0.", "" ], "package": "parted", "version": "3.7-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Tue, 14 Apr 2026 13:03:38 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "pci.ids", "from_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2026.05.30-1", "version": "0.0~2026.05.30-1" }, "to_version": { "source_package_name": "pci.ids", "source_package_version": "0.0~2026.06.16-1", "version": "0.0~2026.06.16-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", " * Require Perl 5.40 in autopkgtest.", " * Switch to use Perl sub signatures in autopkgtest.", "" ], "package": "pci.ids", "version": "0.0~2026.06.16-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Tue, 16 Jun 2026 04:08:59 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "pciutils", "from_version": { "source_package_name": "pciutils", "source_package_version": "1:3.14.0-1build2", "version": "1:3.14.0-1build2" }, "to_version": { "source_package_name": "pciutils", "source_package_version": "1:3.15.0-2", "version": "1:3.15.0-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Remove obsolete lintian override for removed exit-in-shared-library tag.", " * Add bug-script for pciutils to recommend attaching «lspci -vvxxx» output", " as requested by upstream.", " * Add patch to remove «allows …» usage in man pages, warned by lintian.", " * Add patch to add groff hint to run the tbl preprocessor for pcilmr(8),", " warned by lintian.", "" ], "package": "pciutils", "version": "1:3.15.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Tue, 12 May 2026 06:13:47 +0200" }, { "cves": [], "log": [ "", " * New upstream release.", " * Switch to debian/watch version 5.", " * Add spaces around make assignment operators to distinguish from shell ones.", " * Switch to Standards-Version 4.7.4 (no changes needed).", " * Remove build dependency on debhelper (>= 13.10) implied by", " debhelper-compat (= 13) since Debian bookworm.", " * Remove versioned Build-Depends on dpkg-dev, satisfied since Debian trixie.", " * Refactor common description into a source stanza Description field.", " * Update copyright years.", "" ], "package": "pciutils", "version": "1:3.15.0-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Guillem Jover ", "date": "Wed, 08 Apr 2026 02:38:33 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-8", "version": "5.40.1-8" }, "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "log": [ "", " * [SECURITY] backport various fixes from upstream:", " + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.", " (Closes: #1138863)", " + CVE-2026-7010: CRLF-validation in HTTP::Tiny.", " (Closes: #1138858)", " + CVE-2026-8376: Buffer overflow in Perl_study_chunk.", " (Closes: #1137345)", " + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.", " (Closes: #1138856)", " + CVE-2026-48961: crash in zipdetails.", " (Closes: #1138855)", " + CVE-2026-48962: code execution in IO-Compress via output globs.", " (Closes: #1138854)", " + buffer overflows in pack().", " (Closes: #1138905)", " + buffer overflow in Storable.", " (Closes: #1138906)", "" ], "package": "perl", "version": "5.40.1-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sat, 06 Jun 2026 17:22:29 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-8", "version": "5.40.1-8" }, "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "log": [ "", " * [SECURITY] backport various fixes from upstream:", " + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.", " (Closes: #1138863)", " + CVE-2026-7010: CRLF-validation in HTTP::Tiny.", " (Closes: #1138858)", " + CVE-2026-8376: Buffer overflow in Perl_study_chunk.", " (Closes: #1137345)", " + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.", " (Closes: #1138856)", " + CVE-2026-48961: crash in zipdetails.", " (Closes: #1138855)", " + CVE-2026-48962: code execution in IO-Compress via output globs.", " (Closes: #1138854)", " + buffer overflows in pack().", " (Closes: #1138905)", " + buffer overflow in Storable.", " (Closes: #1138906)", "" ], "package": "perl", "version": "5.40.1-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sat, 06 Jun 2026 17:22:29 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-modules-5.40", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-7build1", "version": "5.40.1-7build1" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-8", "version": "5.40.1-8" }, "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15649", "url": "https://ubuntu.com/security/CVE-2025-15649", "cve_description": "IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date. _dosToUnixTime() decodes the local-file-header last-modification date field and calls Time::Local::timelocal() without an eval guard. A header whose date field decodes to an out-of-range month, day, or hour causes timelocal() to die. The exception propagates out of IO::Uncompress::Unzip->new($file) where callers expect undef plus $UnzipError.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-7010", "url": "https://ubuntu.com/security/CVE-2026-7010", "cve_description": "HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values. The unvalidated inputs are the method and URI in the request line, the URL host that becomes the `Host:` header, and HTTP/1.1 control data field values. An attacker who controls one of these inputs, for example a user supplied URL passed to a webhook or URL fetch endpoint, can inject additional headers and smuggle requests to the upstream server.", "cve_priority": "medium", "cve_public_date": "2026-05-11 22:22:00 UTC" }, { "cve": "CVE-2026-8376", "url": "https://ubuntu.com/security/CVE-2026-8376", "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.", "cve_priority": "medium", "cve_public_date": "2026-05-26 00:16:00 UTC" }, { "cve": "CVE-2026-48959", "url": "https://ubuntu.com/security/CVE-2026-48959", "cve_description": "IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48961", "url": "https://ubuntu.com/security/CVE-2026-48961", "cve_description": "IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" }, { "cve": "CVE-2026-48962", "url": "https://ubuntu.com/security/CVE-2026-48962", "cve_description": "IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob. _parseOutputGlob() wraps the caller-supplied output glob string in double quotes and stores it in the parser state; _getFiles() then runs the stored expression through eval STRING. A literal double quote in the output glob closes the dquote wrapper, and the characters that follow are evaluated as Perl. Arbitrary Perl in the output glob executes at the calling process's privilege.", "cve_priority": "medium", "cve_public_date": "2026-05-27 04:16:00 UTC" } ], "log": [ "", " * [SECURITY] backport various fixes from upstream:", " + CVE-2025-15649: header parsing in IO::Uncompress::Unzip.", " (Closes: #1138863)", " + CVE-2026-7010: CRLF-validation in HTTP::Tiny.", " (Closes: #1138858)", " + CVE-2026-8376: Buffer overflow in Perl_study_chunk.", " (Closes: #1137345)", " + CVE-2026-48959: CPU exhaustion in IO::Uncompress::Unzip.", " (Closes: #1138856)", " + CVE-2026-48961: crash in zipdetails.", " (Closes: #1138855)", " + CVE-2026-48962: code execution in IO-Compress via output globs.", " (Closes: #1138854)", " + buffer overflows in pack().", " (Closes: #1138905)", " + buffer overflow in Storable.", " (Closes: #1138906)", "" ], "package": "perl", "version": "5.40.1-8", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niko Tyni ", "date": "Sat, 06 Jun 2026 17:22:29 +0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-certifi", "from_version": { "source_package_name": "python-certifi", "source_package_version": "2026.1.4+ds-1", "version": "2026.1.4+ds-1" }, "to_version": { "source_package_name": "python-certifi", "source_package_version": "2026.5.20+ds-1", "version": "2026.5.20+ds-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "python-certifi", "version": "2026.5.20+ds-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Sun, 24 May 2026 13:29:49 +0100" }, { "cves": [], "log": [ "", " * New upstream release.", " * Bump Standards-Version to 4.7.4, drop Priority: optional.", "" ], "package": "python-certifi", "version": "2026.4.22+ds-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Fri, 24 Apr 2026 17:10:20 -0400" }, { "cves": [], "log": [ "", " * New upstream release.", "" ], "package": "python-certifi", "version": "2026.2.25+ds-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Colin Watson ", "date": "Fri, 27 Feb 2026 09:46:22 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-debian", "from_version": { "source_package_name": "python-debian", "source_package_version": "1.0.1ubuntu2", "version": "1.0.1ubuntu2" }, "to_version": { "source_package_name": "python-debian", "source_package_version": "1.1.0ubuntu1", "version": "1.1.0ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Merge from Debian unstable. Remaining changes:", " - Drop python3-charset-normalizer from Depends/Recommends,", " to avoid component-mismatch", "" ], "package": "python-debian", "version": "1.1.0ubuntu1", "urgency": "low", "distributions": "stonking", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Tue, 05 May 2026 23:01:03 +0200" }, { "cves": [], "log": [ "", " [ Colin Watson ]", " * Add support for merging Changes objects", " * Fix merging of multi-line fields", "", " [ Sébastien Noel ]", " * gitlab-ci: Trixie has been released", " * Provide a new dpkg_arch_to_multiarch() function", " (Closes: #1095138)", "", " [ Stuart Prescott ]", " * Mutliple test, type and annotation related changes", " including running `pyupgrade` with `py37` as target", " version.", "", " [ Nicolas Boulenguez ]", " * Add deb822.PkgRelation.{holds_on_arch, holds_with_profiles}", " (Closes: #1120283)", " * Replace physical address to the FSF with an URL in the license text", " * Update Standards-Version to 4.7.3", " * Replace collections.namedtuple with typing.NamedTuple in deb822.py", "" ], "package": "python-debian", "version": "1.1.0", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Niels Thykier ", "date": "Sun, 08 Feb 2026 13:31:49 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-jinja2", "from_version": { "source_package_name": "jinja2", "source_package_version": "3.1.6-1build1", "version": "3.1.6-1build1" }, "to_version": { "source_package_name": "jinja2", "source_package_version": "3.1.6-2", "version": "3.1.6-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Team upload.", " * Remove ancient Python 3.6-era debian/python3-jinja2.bcep", " * Disable useless Salsa CI jobs", " * Bump Standards-Version to 4.7.3, drop Priority: tag", " * Tag python3-trio dependency as ", "", " [ Bastian Germann ]", " * d/copyright: Use machine-readable format", "" ], "package": "jinja2", "version": "3.1.6-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Alexandre Detiste ", "date": "Mon, 16 Mar 2026 21:00:10 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.14", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.6-1", "version": "3.14.6-1" }, "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" }, { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" } ], "log": [ "", " * Python 3.14.6 release.", " - Avoid crash decompressing untrusted bz2 data. CVE-2026-9669.", " - Don't trust server-provided passive connection addresses in ftplib.", " CVE-2026-8328.", " - Don't allow untrusted tarfile extraction to write outside the", " destination. CVE-2026-7774.", " - Protects against DoS in expat XML parsing. CVE-2026-7210.", " - Avoid DoS in unicode normalization. CVE-2026-3276.", "", " [ Colin Watson ]", " * Drop libnsl-dev build-dependency, which is superfluous since the nis", " module was removed in Python 3.13.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop mention of gdbinit from README.debug. Closes: #1109449.", " * Tidy up python3.X-config manpage. Closes: #1101810.", " * Build with -fno-thread-jumps, instead of -O1 on m68k. Closes: #1139593", "" ], "package": "python3.14", "version": "3.14.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 10 Jun 2026 14:54:31 -0400" }, { "cves": [ { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "log": [ "", " * Python 3.14.5 release.", " Fixes:", " - CVE-2026-5713: Validate remote debug offset tables on load.", " - CVE-2026-4786: Fix webbrowser %action substitution bypass of dash-prefix", " check.", " - CVE-2026-1502: Reject CR/LF in HTTP tunnel request headers.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Update build-details path to include abiflags, and move it to", " libpython3.14-minimal / libpython3.14-dbg.", " * Patch: Fix test_pyexpat on i386. (Closes: #1135052)", " * Patch: Generate the correct base_interpreter in build-details on debug", " builds.", "", " [ Matthias Klose ]", " * Run the tests with -j 2 instead of running sequentially.", "" ], "package": "python3.14", "version": "3.14.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 10 May 2026 21:38:08 -0400" }, { "cves": [], "log": [ "", " * Python 3.14.5 release candidate.", " * Skip pyexpat.test_deeply_nested_content_model on i386.", " * Refresh patches.", "" ], "package": "python3.14", "version": "3.14.5~rc1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 06 May 2026 06:21:50 +0200" }, { "cves": [], "log": [ "", " * Install _sysconfig_vars.json for the debug build.", " * d/t/control: Add python-tk to failing-tests-dbg dependencies.", " * d/t/testsuite-dbg: Don't run test_build_details, the build-details", " file for the debug interpreter is not installed.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.4-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 12:14:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.14-gdbm", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.6-1", "version": "3.14.6-1" }, "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" }, { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" } ], "log": [ "", " * Python 3.14.6 release.", " - Avoid crash decompressing untrusted bz2 data. CVE-2026-9669.", " - Don't trust server-provided passive connection addresses in ftplib.", " CVE-2026-8328.", " - Don't allow untrusted tarfile extraction to write outside the", " destination. CVE-2026-7774.", " - Protects against DoS in expat XML parsing. CVE-2026-7210.", " - Avoid DoS in unicode normalization. CVE-2026-3276.", "", " [ Colin Watson ]", " * Drop libnsl-dev build-dependency, which is superfluous since the nis", " module was removed in Python 3.13.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop mention of gdbinit from README.debug. Closes: #1109449.", " * Tidy up python3.X-config manpage. Closes: #1101810.", " * Build with -fno-thread-jumps, instead of -O1 on m68k. Closes: #1139593", "" ], "package": "python3.14", "version": "3.14.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 10 Jun 2026 14:54:31 -0400" }, { "cves": [ { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "log": [ "", " * Python 3.14.5 release.", " Fixes:", " - CVE-2026-5713: Validate remote debug offset tables on load.", " - CVE-2026-4786: Fix webbrowser %action substitution bypass of dash-prefix", " check.", " - CVE-2026-1502: Reject CR/LF in HTTP tunnel request headers.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Update build-details path to include abiflags, and move it to", " libpython3.14-minimal / libpython3.14-dbg.", " * Patch: Fix test_pyexpat on i386. (Closes: #1135052)", " * Patch: Generate the correct base_interpreter in build-details on debug", " builds.", "", " [ Matthias Klose ]", " * Run the tests with -j 2 instead of running sequentially.", "" ], "package": "python3.14", "version": "3.14.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 10 May 2026 21:38:08 -0400" }, { "cves": [], "log": [ "", " * Python 3.14.5 release candidate.", " * Skip pyexpat.test_deeply_nested_content_model on i386.", " * Refresh patches.", "" ], "package": "python3.14", "version": "3.14.5~rc1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 06 May 2026 06:21:50 +0200" }, { "cves": [], "log": [ "", " * Install _sysconfig_vars.json for the debug build.", " * d/t/control: Add python-tk to failing-tests-dbg dependencies.", " * d/t/testsuite-dbg: Don't run test_build_details, the build-details", " file for the debug interpreter is not installed.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.4-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 12:14:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.14-minimal", "from_version": { "source_package_name": "python3.14", "source_package_version": "3.14.4-1", "version": "3.14.4-1" }, "to_version": { "source_package_name": "python3.14", "source_package_version": "3.14.6-1", "version": "3.14.6-1" }, "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" }, { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-9669", "url": "https://ubuntu.com/security/CVE-2026-9669", "cve_description": "bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data.", "cve_priority": "medium", "cve_public_date": "2026-06-08 23:17:00 UTC" }, { "cve": "CVE-2026-8328", "url": "https://ubuntu.com/security/CVE-2026-8328", "cve_description": "The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.", "cve_priority": "medium", "cve_public_date": "2026-05-13 21:16:00 UTC" }, { "cve": "CVE-2026-7774", "url": "https://ubuntu.com/security/CVE-2026-7774", "cve_description": "tarfile.data_filter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall() to write files outside the destination directory, subject to the permissions of the extracting process.", "cve_priority": "medium", "cve_public_date": "2026-06-04 16:16:00 UTC" }, { "cve": "CVE-2026-7210", "url": "https://ubuntu.com/security/CVE-2026-7210", "cve_description": "`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\\r\\n\\r\\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.", "cve_priority": "medium", "cve_public_date": "2026-05-11 18:16:00 UTC" }, { "cve": "CVE-2026-3276", "url": "https://ubuntu.com/security/CVE-2026-3276", "cve_description": "unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.", "cve_priority": "medium", "cve_public_date": "2026-06-03 16:16:00 UTC" } ], "log": [ "", " * Python 3.14.6 release.", " - Avoid crash decompressing untrusted bz2 data. CVE-2026-9669.", " - Don't trust server-provided passive connection addresses in ftplib.", " CVE-2026-8328.", " - Don't allow untrusted tarfile extraction to write outside the", " destination. CVE-2026-7774.", " - Protects against DoS in expat XML parsing. CVE-2026-7210.", " - Avoid DoS in unicode normalization. CVE-2026-3276.", "", " [ Colin Watson ]", " * Drop libnsl-dev build-dependency, which is superfluous since the nis", " module was removed in Python 3.13.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Drop mention of gdbinit from README.debug. Closes: #1109449.", " * Tidy up python3.X-config manpage. Closes: #1101810.", " * Build with -fno-thread-jumps, instead of -O1 on m68k. Closes: #1139593", "" ], "package": "python3.14", "version": "3.14.6-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Wed, 10 Jun 2026 14:54:31 -0400" }, { "cves": [ { "cve": "CVE-2026-5713", "url": "https://ubuntu.com/security/CVE-2026-5713", "cve_description": "The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.", "cve_priority": "medium", "cve_public_date": "2026-04-14 16:16:00 UTC" }, { "cve": "CVE-2026-4786", "url": "https://ubuntu.com/security/CVE-2026-4786", "cve_description": "Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-1502", "url": "https://ubuntu.com/security/CVE-2026-1502", "cve_description": "CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.", "cve_priority": "medium", "cve_public_date": "2026-04-10 18:16:00 UTC" } ], "log": [ "", " * Python 3.14.5 release.", " Fixes:", " - CVE-2026-5713: Validate remote debug offset tables on load.", " - CVE-2026-4786: Fix webbrowser %action substitution bypass of dash-prefix", " check.", " - CVE-2026-1502: Reject CR/LF in HTTP tunnel request headers.", "", " [ Stefano Rivera ]", " * Refresh patches.", " * Update build-details path to include abiflags, and move it to", " libpython3.14-minimal / libpython3.14-dbg.", " * Patch: Fix test_pyexpat on i386. (Closes: #1135052)", " * Patch: Generate the correct base_interpreter in build-details on debug", " builds.", "", " [ Matthias Klose ]", " * Run the tests with -j 2 instead of running sequentially.", "" ], "package": "python3.14", "version": "3.14.5-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Stefano Rivera ", "date": "Sun, 10 May 2026 21:38:08 -0400" }, { "cves": [], "log": [ "", " * Python 3.14.5 release candidate.", " * Skip pyexpat.test_deeply_nested_content_model on i386.", " * Refresh patches.", "" ], "package": "python3.14", "version": "3.14.5~rc1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 06 May 2026 06:21:50 +0200" }, { "cves": [], "log": [ "", " * Install _sysconfig_vars.json for the debug build.", " * d/t/control: Add python-tk to failing-tests-dbg dependencies.", " * d/t/testsuite-dbg: Don't run test_build_details, the build-details", " file for the debug interpreter is not installed.", " * Bump standards version.", "" ], "package": "python3.14", "version": "3.14.4-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Matthias Klose ", "date": "Wed, 22 Apr 2026 12:14:09 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "rpcsvc-proto", "from_version": { "source_package_name": "rpcsvc-proto", "source_package_version": "1.4.3-1build1", "version": "1.4.3-1build1" }, "to_version": { "source_package_name": "rpcsvc-proto", "source_package_version": "1.4.4-1", "version": "1.4.4-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Aurelien Jarno ]", " * New upstream release (Closes: #1137423)", " * debian/control: drop Rules-Requires-Root field, now obsolete", " * debian/control: drop redundanty Priority field", " * debian/control: bump Standards-Version to 4.7.4 (no changes)", " * Add a debian/watch file", " * Set DEB_BUILD_MAINT_OPTIONS = hardening=+all to make lintian happier", "", " [ Samuel Thibault ]", " * control: Add hurd-amd64 case", "", " [ Debian Janitor ]", " * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-", " Browse.", "" ], "package": "rpcsvc-proto", "version": "1.4.4-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Aurelien Jarno ", "date": "Tue, 26 May 2026 22:08:54 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "rsync", "from_version": { "source_package_name": "rsync", "source_package_version": "3.4.1+ds1-7", "version": "3.4.1+ds1-7" }, "to_version": { "source_package_name": "rsync", "source_package_version": "3.4.4+ds1-1", "version": "3.4.4+ds1-1" }, "cves": [ { "cve": "CVE-2026-41035", "url": "https://ubuntu.com/security/CVE-2026-41035", "cve_description": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "cve_priority": "low", "cve_public_date": "2026-04-16 07:16:00 UTC" }, { "cve": "CVE-2025-10158", "url": "https://ubuntu.com/security/CVE-2025-10158", "cve_description": "A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.", "cve_priority": "low", "cve_public_date": "2025-11-18 15:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream version 3.4.4+ds1", "" ], "package": "rsync", "version": "3.4.4+ds1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Samuel Henrique ", "date": "Sun, 07 Jun 2026 22:07:25 -0700" }, { "cves": [], "log": [ "", " * d/t/upstream-tests: Build t_chmod_secure and t_secure_relpath", "" ], "package": "rsync", "version": "3.4.3+ds1-2", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Samuel Henrique ", "date": "Tue, 19 May 2026 18:23:33 -0700" }, { "cves": [], "log": [ "", " * New upstream version 3.4.3+ds1", " * d/p/syscall_use_openat2...: Drop merged patch", "" ], "package": "rsync", "version": "3.4.3+ds1-1", "urgency": "high", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Samuel Henrique ", "date": "Tue, 19 May 2026 17:47:34 -0700" }, { "cves": [], "log": [ "", " * d/p/syscall_use_openat2...: New patch to fix symlink handling on the", " receiver (closes: #1093160)", "" ], "package": "rsync", "version": "3.4.2+ds1-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Samuel Henrique ", "date": "Thu, 30 Apr 2026 09:50:10 -0300" }, { "cves": [ { "cve": "CVE-2026-41035", "url": "https://ubuntu.com/security/CVE-2026-41035", "cve_description": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "cve_priority": "low", "cve_public_date": "2026-04-16 07:16:00 UTC" }, { "cve": "CVE-2025-10158", "url": "https://ubuntu.com/security/CVE-2025-10158", "cve_description": "A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.", "cve_priority": "low", "cve_public_date": "2025-11-18 15:16:00 UTC" } ], "log": [ "", " [ Samuel Henrique ]", " * New upstream version 3.4.2+ds1", " - Fix CVE-2026-41035 (closes: #1134617)", " * Drop patches merged upstream.", " - fix-flaky-hardlinks-test.patch", " - reproducible-build.patch", " - gcc_15.patch", " - CVE-2025-10158.patch", " * d/copyright: runtests.sh was refactored to runtests.py", " * d/t/upstream-tests: runtests.sh was refactored to runtests.py", "", " [ Alexandre Detiste ]", " * delete d/rules-pre-dh that shows up on Debian Code Search", "" ], "package": "rsync", "version": "3.4.2+ds1-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Samuel Henrique ", "date": "Wed, 29 Apr 2026 11:58:29 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "rust-coreutils", "from_version": { "source_package_name": "rust-coreutils", "source_package_version": "0.8.0-0ubuntu3", "version": "0.8.0-0ubuntu3" }, "to_version": { "source_package_name": "rust-coreutils", "source_package_version": "0.8.0-0ubuntu4", "version": "0.8.0-0ubuntu4" }, "cves": [], "launchpad_bugs_fixed": [ 2116290 ], "changes": [ { "cves": [], "log": [ "", " * d/p/df-statfs-fallback.patch: Add a fallback to statfs if the mount path", " could not be found normally. (LP: #2116290)", "" ], "package": "rust-coreutils", "version": "0.8.0-0ubuntu4", "urgency": "medium", "distributions": "stonking", "launchpad_bugs_fixed": [ 2116290 ], "author": "Varun Varma ", "date": "Thu, 21 May 2026 16:10:00 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "sos", "from_version": { "source_package_name": "sos", "source_package_version": "4.11.1-2", "version": "4.11.1-2" }, "to_version": { "source_package_name": "sos", "source_package_version": "4.11.2-1", "version": "4.11.2-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * New upstream release 4.11.2", "", " * For more details, full release note is available here:", " - https://github.com/sosreport/sos/releases/tag/4.11.2", "", " * Revert \"d/control: Remove Uploaders\"", "" ], "package": "sos", "version": "4.11.2-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Arif Ali ", "date": "Tue, 16 Jun 2026 12:43:00 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "tcpdump", "from_version": { "source_package_name": "tcpdump", "source_package_version": "4.99.6-1", "version": "4.99.6-1" }, "to_version": { "source_package_name": "tcpdump", "source_package_version": "4.99.6-2", "version": "4.99.6-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Upload to sid", "" ], "package": "tcpdump", "version": "4.99.6-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Gianfranco Costamagna ", "date": "Fri, 27 Feb 2026 19:23:01 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "tmux", "from_version": { "source_package_name": "tmux", "source_package_version": "3.6a-2", "version": "3.6a-2" }, "to_version": { "source_package_name": "tmux", "source_package_version": "3.6b-1", "version": "3.6b-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " [ Sébastien Delafond ]", " * d/watch: remove Uversion-mangle", " * Bump-up Standards-Version", " * New upstream version 3.6b", "" ], "package": "tmux", "version": "3.6b-1", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Sebastien Delafond ", "date": "Tue, 26 May 2026 16:37:43 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "tnftp", "from_version": { "source_package_name": "tnftp", "source_package_version": "20260211-1", "version": "20260211-1" }, "to_version": { "source_package_name": "tnftp", "source_package_version": "20260211-2", "version": "20260211-2" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * d/control: remove Priority: optional", " * d/watch: update Version: 5, not use Option pasv", " * d/copyright: fix old-fsf-address-in-copyright-file", "" ], "package": "tnftp", "version": "20260211-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "xiao sheng wen ", "date": "Mon, 30 Mar 2026 15:53:45 +0800" } ], "notes": null, "is_version_downgrade": false }, { "name": "xfsprogs", "from_version": { "source_package_name": "xfsprogs", "source_package_version": "6.18.0-3", "version": "6.18.0-3" }, "to_version": { "source_package_name": "xfsprogs", "source_package_version": "6.19.0-1", "version": "6.19.0-1" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Disable exchange-range as well", "" ], "package": "xfsprogs", "version": "6.18.0-3", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Bastian Germann ", "date": "Thu, 29 Jan 2026 23:05:48 +0100" }, { "cves": [], "log": [ "", " * Disable parent pointers by default as in versions < 6.18", "" ], "package": "xfsprogs", "version": "6.18.0-2", "urgency": "medium", "distributions": "unstable", "launchpad_bugs_fixed": [], "author": "Bastian Germann ", "date": "Tue, 27 Jan 2026 11:47:02 +0100" } ], "notes": null, "is_version_downgrade": true } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.10 stonking image from daily image serial 20260617 to 20260621", "from_series": "stonking", "to_series": "stonking", "from_serial": "20260617", "to_serial": "20260621", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }