11/02/2026, commit https://github.com/canonical/core-base/tree/37b6ca6eae54cbf2ce64fe2c836b59ee1438f27f
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (1):
hooks: add script to remove unneeded apparmor profiles
[ Changes in primed packages ]
base-files (built from base-files) updated from 13ubuntu10.3 to 13ubuntu10.4:
base-files (13ubuntu10.4) noble; urgency=medium
* /etc/issue{,.net}, /etc/{lsb,os}-release: bump version to 24.04.4
(LP: #2140756)
-- Florent 'Skia' Jacquet <[email protected]> Fri, 06 Feb 2026 08:23:01 +0100
libglib2.0-0t64:amd64 (built from glib2.0) updated from 2.80.0-6ubuntu3.6 to 2.80.0-6ubuntu3.8:
glib2.0 (2.80.0-6ubuntu3.8) noble-security; urgency=medium
* SECURITY UPDATE: integer overflow in Base64 encoding
- debian/patches/CVE-2026-1484-1.patch: use gsize to prevent potential
overflow in glib/gbase64.c.
- debian/patches/CVE-2026-1484-2.patch: ensure that the out value is
within allocated size in glib/gbase64.c.
- CVE-2026-1484
* SECURITY UPDATE: buffer underflow via header length
- debian/patches/CVE-2026-1485.patch: do not overflow if header is
longer than MAXINT in gio/gcontenttype.c.
- CVE-2026-1485
* SECURITY UPDATE: integer overflow via Unicode case conversion
- debian/patches/CVE-2026-1489-1.patch: use size_t for output_marks
length in glib/guniprop.c.
- debian/patches/CVE-2026-1489-2.patch: do not convert size_t to gint
in glib/guniprop.c.
- debian/patches/CVE-2026-1489-3.patch: ensure we do not overflow size
in glib/guniprop.c.
- debian/patches/CVE-2026-1489-4.patch: add test debug information when
parsing input files in glib/tests/unicode.c.
- CVE-2026-1489
-- Marc Deslauriers <[email protected]> Wed, 28 Jan 2026 12:53:07 -0500
glib2.0 (2.80.0-6ubuntu3.7) noble-security; urgency=medium
* SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()
- debian/patches/CVE-2026-0988.patch: fix a potential integer overflow
in peek() in gio/gbufferedinputstream.c,
gio/tests/buffered-input-stream.c.
- CVE-2026-0988
-- Marc Deslauriers <[email protected]> Tue, 20 Jan 2026 08:08:27 -0500
libc-bin, libc6:amd64, libc6:i386 (built from glibc) updated from 2.39-0ubuntu8.6 to 2.39-0ubuntu8.7:
glibc (2.39-0ubuntu8.7) noble-security; urgency=medium
* SECURITY UPDATE: use-after-free in wordexp_t fields
- debian/patches/CVE-2025-15281.patch: posix: Reset wordexp_t fields
with WRDE_REUSE
- CVE-2025-15281
* SECURITY UPDATE: integer overflow in memalign
- debian/patches/CVE-2026-0861.patch: memalign: reinstate alignment
overflow check
- CVE-2026-0861
* SECURITY UPDATE: memory leak in NSS DNS
- debian/patches/CVE-2026-0915.patch: resolv: Fix NSS DNS backend for
getnetbyaddr
- CVE-2026-0915
-- Nishit Majithia <[email protected]> Fri, 30 Jan 2026 13:57:54 +0530
gpgv (built from gnupg2) updated from 2.4.4-2ubuntu17.3 to 2.4.4-2ubuntu17.4:
gnupg2 (2.4.4-2ubuntu17.4) noble-security; urgency=medium
* SECURITY UPDATE: Remote Code Execution
- debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory
corruption in the armor parser.
- CVE-2025-68973
-- Allen Huang <[email protected]> Mon, 05 Jan 2026 22:01:39 +0000
libdrm-common, libdrm2:amd64 (built from libdrm) updated from 2.4.122-1~ubuntu0.24.04.2 to 2.4.125-1ubuntu0.1~24.04.1:
libdrm (2.4.125-1ubuntu0.1~24.04.1) noble; urgency=medium
* Backport to noble. (LP: #2126037)
- amdgpu-add-env-support-for-amdgpu-ids.patch dropped as it has
changed on the upstream merge request and hasn't landed yet
-- Timo Aaltonen <[email protected]> Fri, 07 Nov 2025 14:50:51 +0200
libdrm (2.4.125-1ubuntu0.1) questing; urgency=medium
* patches: Identify APUs from hardware (LP: #2127944)
-- Timo Aaltonen <[email protected]> Fri, 24 Oct 2025 17:43:46 +0300
libdrm (2.4.125-1) experimental; urgency=medium
[ Jianfeng Liu ]
* Enable build libdrm-intel1 for loong64. (Closes: #1107223)
[ Timo Aaltonen ]
* New upstream release.
* patches: Drop the upstreamed fix for xf86drm.
* symbols: Updated.
-- Timo Aaltonen <[email protected]> Wed, 25 Jun 2025 10:46:34 +0300
libdrm (2.4.124-2) unstable; urgency=medium
[ Daniel van Vugt ]
* Add xf86drm-Handle-NULL-in-drmCopyVersion.patch (LP: #2104352)
[ Bo YU ]
* Enable building libdrm-intel1 for riscv64 (Closes: #1085314)
-- Timo Aaltonen <[email protected]> Tue, 01 Apr 2025 11:08:19 +0300
libdrm (2.4.124-1) unstable; urgency=medium
* New upstream release.
* amdgpu-add-env-support-for-amdgpu-ids.patch: Add a patch to allow
using an env variable for amdgpu.ids path. (LP: #2100483)
-- Timo Aaltonen <[email protected]> Thu, 27 Feb 2025 14:57:25 +0200
libdrm (2.4.123-1) unstable; urgency=medium
* New upstream release.
* Add upstream metadata, drop old git url from d/watch.
* Update signing-key.asc.
-- Timo Aaltonen <[email protected]> Tue, 10 Sep 2024 11:03:50 +0300
libdrm (2.4.122-1) unstable; urgency=medium
* New upstream release. (Closes: #1059854)
* control: Migrate to pkgconf.
-- Timo Aaltonen <[email protected]> Thu, 01 Aug 2024 13:52:56 +0300
libpng16-16t64:amd64 (built from libpng1.6) updated from 1.6.43-5ubuntu0.1 to 1.6.43-5ubuntu0.4:
libpng1.6 (1.6.43-5ubuntu0.4) noble-security; urgency=medium
* SECURITY UPDATE: DoS via buffer overflow caused by memory leaks
- debian/patches/CVE-2025-2816x.patch: clean up on user/internal errors
in contrib/libtests/pngimage.c, pngerror.c.
- CVE-2025-28162
- CVE-2025-28164
-- Marc Deslauriers <[email protected]> Thu, 29 Jan 2026 11:18:41 -0500
libpng1.6 (1.6.43-5ubuntu0.3) noble-security; urgency=medium
* SECURITY UPDATE: OOB in png_image_read_composite
- debian/patches/CVE-2025-66293-1.patch: validate component size in
pngread.c.
- debian/patches/CVE-2025-66293-2.patch: improve fix in pngread.c.
- CVE-2025-66293
* SECURITY UPDATE: Heap buffer over-read in png_image_read_direct_scaled
- debian/patches/CVE-2026-22695.patch: fix memcpy size in pngread.c.
- CVE-2026-22695
* SECURITY UPDATE: Integer truncation causing heap buffer over-read
- debian/patches/CVE-2026-22801.patch: remove incorrect truncation
casts in CMakeLists.txt, contrib/libtests/pngstest.c, pngwrite.c,
tests/pngstest-large-stride.
- CVE-2026-22801
-- Marc Deslauriers <[email protected]> Mon, 12 Jan 2026 13:14:03 -0500
libtasn1-6:amd64 (built from libtasn1-6) updated from 4.19.0-3ubuntu0.24.04.1 to 4.19.0-3ubuntu0.24.04.2:
libtasn1-6 (4.19.0-3ubuntu0.24.04.2) noble-security; urgency=medium
* SECURITY UPDATE: Stack-based buffer overflow
- debian/patches/CVE-2025-13151.patch: fix asn1_expand_octet_string
buffer size in lib/decoding.c.
- CVE-2025-13151
-- Marc Deslauriers <[email protected]> Thu, 08 Jan 2026 12:24:41 -0500
libssl3t64:amd64, openssl (built from openssl) updated from 3.0.13-0ubuntu3.6 to 3.0.13-0ubuntu3.7:
openssl (3.0.13-0ubuntu3.7) noble-security; urgency=medium
* SECURITY UPDATE: Stack buffer overflow in CMS AuthEnvelopedData parsing
- debian/patches/CVE-2025-15467-1.patch: correct handling of
AEAD-encrypted CMS with inadmissibly long IV in crypto/evp/evp_lib.c.
- debian/patches/CVE-2025-15467-2.patch: some comments to clarify
functions usage in crypto/asn1/evp_asn1.c.
- debian/patches/CVE-2025-15467-3.patch: test for handling of
AEAD-encrypted CMS with inadmissibly long IV in test/cmsapitest.c,
test/recipes/80-test_cmsapi.t,
test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem.
- CVE-2025-15467
* SECURITY UPDATE: Heap out-of-bounds write in BIO_f_linebuffer on short
writes
- debian/patches/CVE-2025-68160.patch: fix heap buffer overflow in
BIO_f_linebuffer in crypto/bio/bf_lbuf.c.
- CVE-2025-68160
* SECURITY UPDATE: Unauthenticated/unencrypted trailing bytes with
low-level OCB function calls
- debian/patches/CVE-2025-69418.patch: fix OCB AES-NI/HW stream path
unauthenticated/unencrypted trailing bytes in crypto/modes/ocb128.c.
- CVE-2025-69418
* SECURITY UPDATE: Out of bounds write in PKCS12_get_friendlyname() UTF-8
conversion
- debian/patches/CVE-2025-69419.patch: check return code of UTF8_putc
in crypto/asn1/a_strex.c, crypto/pkcs12/p12_utl.c.
- CVE-2025-69419
* SECURITY UPDATE: Missing ASN1_TYPE validation in
TS_RESP_verify_response() function
- debian/patches/CVE-2025-69420.patch: verify ASN1 object's types
before attempting to access them as a particular type in
crypto/ts/ts_rsp_verify.c.
- CVE-2025-69420
* SECURITY UPDATE: NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex
- debian/patches/CVE-2025-69421.patch: add NULL check in
crypto/pkcs12/p12_decr.c.
- CVE-2025-69421
* SECURITY UPDATE: ASN1_TYPE missing validation and type confusion
- debian/patches/CVE-2026-2279x.patch: ensure ASN1 types are checked
before use in apps/s_client.c, crypto/pkcs12/p12_kiss.c,
crypto/pkcs7/pk7_doit.c.
- CVE-2026-22795
- CVE-2026-22796
-- Marc Deslauriers <[email protected]> Mon, 26 Jan 2026 07:31:31 -0500
python3-urllib3 (built from python-urllib3) updated from 2.0.7-1ubuntu0.3 to 2.0.7-1ubuntu0.6:
python-urllib3 (2.0.7-1ubuntu0.6) noble-security; urgency=medium
* SECURITY REGRESSION: Zstandard missing attribute after CVE-2025-66471 fix.
(LP: #2136906)
- debian/patches/CVE-2025-66471-fix2.patch: Fall back if "needs_input" is
not a zstd object attribute in src/urllib3/response.py.
-- Hlib Korzhynskyy <[email protected]> Tue, 13 Jan 2026 09:34:51 -0330
python-urllib3 (2.0.7-1ubuntu0.5) noble-security; urgency=medium
* SECURITY REGRESSION: Zstd issues after CVE-2025-66471 fix. (LP: #2136906)
- debian/patches/CVE-2025-66471-fix1.patch: Revert zstd fix due to not
being compatible with zstandard.
-- Hlib Korzhynskyy <[email protected]> Mon, 12 Jan 2026 17:27:22 -0330
python-urllib3 (2.0.7-1ubuntu0.4) noble-security; urgency=medium
* SECURITY UPDATE: Decompression bomb in HTTP redirect responses.
- debian/patches/CVE-2026-21441.patch: Add decode_content to self.read()
in src/urllib3/response.py. Add tests in
test/with_dummyserver/test_connectionpool.py and dummyserver/app.py.
- CVE-2026-21441
-- Hlib Korzhynskyy <[email protected]> Thu, 08 Jan 2026 15:36:38 -0330
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.9 to 3.12.3-1ubuntu0.11:
python3.12 (3.12.3-1ubuntu0.11) noble-security; urgency=medium
* SECURITY UPDATE: Header injection in email messages where addresses are not
sanitized.
- debian/patches/CVE-2025-11468.patch: Add escape parentheses and backslash
in Lib/email/_header_value_parser.py. Add test in
Lib/test/test_email/test__header_value_parser.py.
- CVE-2025-11468
* SECURITY UPDATE: Quadratic algorithm when building excessively nested XML
documents.
- debian/patches/CVE-2025-12084-*.patch: Remove _in_document and replace
with node.ownerDocument in Lib/xml/dom/minidom.py. Set self.ownerDocument
to None in Lib/xml/dom/minidom.py. Add test in Lib/test/test_minidom.py.
- CVE-2025-12084
* SECURITY UPDATE: OOM and denial of service when opening malicious plist
file.
- debian/patches/CVE-2025-13837.patch: Add _MIN_READ_BUF_SIZE and _read
with checks in Lib/plistlib.py. Add test in Lib/test/test_plistlib.py.
- CVE-2025-13837
* SECURITY UPDATE: Header injection in user controlled data URLs in urllib.
- debian/patches/CVE-2025-15282.patch: Add control character checks in
Lib/urllib/request.py. Add test in Lib/test/test_urllib.py.
* SECURITY UPDATE: Command injection through user controlled commands in
imaplib.
- debian/patches/CVE-2025-15366.patch: Add _control_chars and checks in
Lib/imaplib.py. Add test in Lib/test/test_imaplib.py.
* SECURITY UPDATE: Command injection through user controlled commands in
poplib.
- debian/patches/CVE-2025-15367.patch: Add control character regex check
in Lib/poplib.py. Add test in Lib/test/test_poplib.py.
- CVE-2025-15367
* SECURITY UPDATE: HTTP header injection in user controlled cookie values.
- debian/patches/CVE-2026-0672.patch: Add _control_characters_re and
checks in Lib/http/cookies.py. Add test in Lib/test/test_http_cookies.py.
- CVE-2026-0672
* SECURITY UPDATE: HTTP header injection in user controlled headers and
values with newlines.
- debian/patches/CVE-2026-0865.patch: Add _control_chars_re and check in
Lib/wsgiref/headers.py. Add test in Lib/test/support/__init__.py and
Lib/test/test_wsgiref.py.
- CVE-2026-0865
-- Hlib Korzhynskyy <[email protected]> Thu, 22 Jan 2026 17:27:42 -0330
python3.12 (3.12.3-1ubuntu0.10) noble-security; urgency=medium
* SECURITY UPDATE: HTTP Content-Length denial of service
- debian/patches/CVE-2025-13836.patch: Read large data in chunks with
geometric reads in Lib/http/client.py and add tests in
Lib/test/test_httplib.py
- CVE-2025-13836
-- Vyom Yadav <[email protected]> Thu, 08 Jan 2026 17:00:50 +0530
07/01/2026, commit https://github.com/canonical/core-base/tree/877c452311fe667019aaa475aae73b3e283b8f7b
[ Changes in the core24 snap ]
No detected changes for the core24 snap
[ Changes in primed packages ]
dhcpcd-base (built from dhcpcd) updated from 1:10.0.6-1ubuntu3.1 to 1:10.0.6-1ubuntu3.2:
dhcpcd (1:10.0.6-1ubuntu3.2) noble; urgency=medium
* Fix intermittent dumplease failures when parsing stdin (LP: #2131252)
- d/p/lp2131252-0-Force-dumplease-to-parse-stdin.patch
- d/p/lp2131252-1-Improve-and-document-prior.patch
-- Bryan Fraschetti <[email protected]> Thu, 13 Nov 2025 12:47:30 -0500
libglib2.0-0t64:amd64 (built from glib2.0) updated from 2.80.0-6ubuntu3.5 to 2.80.0-6ubuntu3.6:
glib2.0 (2.80.0-6ubuntu3.6) noble-security; urgency=medium
* SECURITY UPDATE: overflow via long invalid ISO 8601 timestamp
- debian/patches/CVE-2025-3360-1.patch: fix integer overflow when
parsing very long ISO8601 inputs in glib/gdatetime.c.
- debian/patches/CVE-2025-3360-2.patch: fix potential integer overflow
in timezone offset handling in glib/gdatetime.c.
- debian/patches/CVE-2025-3360-3.patch: track timezone length as an
unsigned size_t in glib/gdatetime.c.
- debian/patches/CVE-2025-3360-4.patch: factor out some string pointer
arithmetic in glib/gdatetime.c.
- debian/patches/CVE-2025-3360-5.patch: factor out an undersized
variable in glib/gdatetime.c.
- debian/patches/CVE-2025-3360-6.patch: add some missing GDateTime
ISO8601 parsing tests in glib/tests/gdatetime.c.
- CVE-2025-3360
* SECURITY UPDATE: GString overflow
- debian/patches/CVE-2025-6052.patch: fix overflow check when expanding
the string in glib/gstring.c.
- CVE-2025-6052
* SECURITY UPDATE: integer overflow in temp file creation
- debian/patches/CVE-2025-7039.patch: fix computation of temporary file
name in glib/gfileutils.c.
- CVE-2025-7039
* SECURITY UPDATE: heap overflow in g_escape_uri_string()
- debian/patches/CVE-2025-13601.patch: add overflow check in
glib/gconvert.c.
- CVE-2025-13601
* SECURITY UPDATE: buffer underflow through glib/gvariant
- debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow
parsing (byte)strings in glib/gvariant-parser.c.
- debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of
child elements in glib/gvariant-parser.c.
- debian/patches/CVE-2025-14087-3.patch: convert error handling code to
use size_t in glib/gvariant-parser.c.
- CVE-2025-14087
* SECURITY UPDATE: integer overflow in gfileattribute
- debian/patches/gfileattribute-overflow.patch: add overflow check in
gio/gfileattribute.c.
- No CVE number
-- Marc Deslauriers <[email protected]> Wed, 10 Dec 2025 10:51:22 -0500
libpng16-16t64:amd64 (built from libpng1.6) updated from 1.6.43-5build1 to 1.6.43-5ubuntu0.1:
libpng1.6 (1.6.43-5ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: buffer overflow issue
- debian/patches/CVE-2025-64505.patch: Fix a buffer overflow in
png_do_quantize
- debian/patches/CVE-2025-64506.patch: Fix a heap buffer overflow in
png_write_image_8bit
- debian/patches/CVE-2025-64720.patch: Fix a buffer overflow in
png_init_read_transformations
- debian/patches/CVE-2025-65018.patch: Fix a heap buffer overflow in
png_image_finish_read
- CVE-2025-64505
- CVE-2025-64506
- CVE-2025-64720
- CVE-2025-65018
-- Nishit Majithia <[email protected]> Tue, 09 Dec 2025 17:36:48 +0530
python3-urllib3 (built from python-urllib3) updated from 2.0.7-1ubuntu0.2 to 2.0.7-1ubuntu0.3:
python-urllib3 (2.0.7-1ubuntu0.3) noble-security; urgency=medium
* SECURITY UPDATE: Denial of service due to unbounded decompression chain.
- debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and
checks in src/urllib3/response.py. Add test in test/test_response.py.
- CVE-2025-66418
* SECURITY UPDATE: Denial of service due to decompression bomb.
- debian/patches/CVE-2025-66471.patch: Fix decompression bomb in
src/urllib3/response.py. Add tests in test/test_response.py.
- debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning
due to intrusive backport for brotli fixes and upstream version warning
not being appropriate for distro backporting.
- CVE-2025-66471
-- Hlib Korzhynskyy <[email protected]> Wed, 10 Dec 2025 15:56:11 -0330
libpam-systemd:amd64, libsystemd-shared:amd64, libsystemd0:amd64, libudev1:amd64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.11 to 255.4-1ubuntu8.12:
systemd (255.4-1ubuntu8.12) noble; urgency=medium
* basic: validate timezones in get_timezones() (LP: #2125405)
* ukify: fix insertion of padding in merged sections (LP: #2132666)
* core: downgrade a log message from warning to debug (LP: #2130554)
* test: skip testcase_multipath_basic_failover.
This test has been failing on Ubuntu infrastructure for a long time.
Leaving this alone at the moment allows other failures to potentially go
unnoticed, because the migration reference baseline has been reset to
fail. Skip the test to try and reset the baseline to pass.
* d/gbp.conf: stop using wrap_cl.py
-- Nick Rosbrook <[email protected]> Tue, 25 Nov 2025 13:16:31 -0500
bsdutils, fdisk, libblkid1:amd64, libfdisk1:amd64, libmount1:amd64, libsmartcols1:amd64, libuuid1:amd64, mount, rfkill, util-linux (built from util-linux) updated from 1:2.39.3-9ubuntu6.3 to 1:2.39.3-9ubuntu6.4:
10/12/2025, commit https://github.com/canonical/core-base/tree/877c452311fe667019aaa475aae73b3e283b8f7b
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (1):
static: do not scan loop and mmc boot partitions
Philip Meulengracht (3):
tmpfiles.d: ignore snaps private tmp folder when cleaning /tmp
hooks: switch to ubuntu-advantage (#382)
static: add snapd.conf from the snapd debian, remove the other one (#384)
[ Changes in primed packages ]
apparmor, libapparmor1:amd64 (built from apparmor) updated from 4.0.1really4.0.1-0ubuntu0.24.04.4 to 4.0.1really4.0.1-0ubuntu0.24.04.5:
apparmor (4.0.1really4.0.1-0ubuntu0.24.04.5) noble; urgency=medium
* profiles: make /sys/devices PCI paths hex-aware (LP: #2115234)
-- Keifer Snedeker <[email protected]> Fri, 15 Aug 2025 13:16:02 +0100
libglib2.0-0t64:amd64 (built from glib2.0) updated from 2.80.0-6ubuntu3.4 to 2.80.0-6ubuntu3.5:
glib2.0 (2.80.0-6ubuntu3.5) noble; urgency=medium
* debian: Update VCS references to ubuntu/noble branch
* debian/patches: Fix a crash on arg0 matching.
This is causing a crash in tracker if the battery charging state changes
while tracker is indexing files, as tracker-extract-3 will try to emit
property changes with a NULL arg0. (LP: #2119581)
-- Marco Trevisan (Treviño) <[email protected]> Tue, 04 Nov 2025 16:05:02 +0100
libdrm-common, libdrm2:amd64 (built from libdrm) updated from 2.4.122-1~ubuntu0.24.04.1 to 2.4.122-1~ubuntu0.24.04.2:
libdrm (2.4.122-1~ubuntu0.24.04.2) noble; urgency=medium
* patches: Identify APUs from hardware (LP: #2127944)
-- Timo Aaltonen <[email protected]> Fri, 24 Oct 2025 17:48:33 +0300
libnetplan1:amd64, netplan-generator, netplan.io, python3-netplan (built from netplan.io) updated from 1.1.2-2~ubuntu24.04.2 to 1.1.2-8ubuntu1~24.04.1:
netplan.io (1.1.2-8ubuntu1~24.04.1) noble; urgency=medium
* Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)
- Allows non standard OVS setups (e.g. OVS from snap)
- Test improvements, especially for slower architectures such as riscv64
- d/t/cloud-init.sh: Adopt for actually generated files instead of dummies
- d/control: use dbus-daemon instead of dbus-x11 for build-time tests and
suggests systemd-resolved
* SRU compatibility
- d/gbp.conf: Update for Noble
- d/libnetplan1.symbols: keep it at the original version
- d/p/series: Keep d/p/sru-compat/* patches
- d/p/series: Drop wait-online-dns* which is incompatible with systemd v255
+ d/control: Keep systemd dependency at v248
-- Lukas Märdian <[email protected]> Tue, 25 Nov 2025 12:45:14 +0100
libpython3-stdlib:amd64, python3, python3-minimal (built from python3-defaults) updated from 3.12.3-0ubuntu2 to 3.12.3-0ubuntu2.1:
python3-defaults (3.12.3-0ubuntu2.1) noble-security; urgency=medium
* No-change rebuild into -security to fix dep issues (LP: #2127093)
-- Marc Deslauriers <[email protected]> Wed, 12 Nov 2025 07:15:44 -0500
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.8 to 3.12.3-1ubuntu0.9:
python3.12 (3.12.3-1ubuntu0.9) noble-security; urgency=medium
* SECURITY UPDATE: Possible payload obfuscation
- debian/patches/CVE-2025-8291.patch: check consistency of
the zip64 end of central dir record in Lib/zipfile.py,
Lib/test/test_zipfile.py.
- CVE-2025-8291
* SECURITY UPDATE: Performance degradation
- debian/patches/CVE-2025-6075.patch: fix quadratic complexity
in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,
Lib/test/test_genericpatch.py, Lib/test/test_npath.py.
- CVE-2025-6075
-- Leonidas Da Silva Barbosa <[email protected]> Thu, 06 Nov 2025 10:44:16 -0300
26/10/2025, commit https://github.com/canonical/core-base/tree/230d59e9c36891b95fbb3a47a8b25563e0b9ae17
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (1):
hooks: update nvidia driver version
[ Changes in primed packages ]
distro-info-data (built from distro-info-data) updated from 0.60ubuntu0.3 to 0.60ubuntu0.5:
distro-info-data (0.60ubuntu0.5) noble; urgency=medium
* ubuntu.csv: remove eol-legacy field from resolute
This version of distro-info does not know about eol-legacy.
-- Nick Rosbrook <[email protected]> Fri, 10 Oct 2025 12:02:16 -0400
distro-info-data (0.60ubuntu0.4) noble; urgency=medium
* Add Ubuntu 26.04 LTS "Resolute Raccoon" (LP: #2126961)
* Correct date for forky
* Correct estimation for trixie ELTS EoL to 10 years total support.
* Update the bookworm EoL
-- Florent 'Skia' Jacquet <[email protected]> Fri, 10 Oct 2025 11:31:14 +0100
09/10/2025, commit https://github.com/canonical/core-base/tree/3667c3306e20cafd7ee36075b3fb317f05fbec00
[ Changes in the core24 snap ]
No detected changes for the core24 snap
[ Changes in primed packages ]
libpam-systemd:amd64, libsystemd-shared:amd64, libsystemd0:amd64, libudev1:amd64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.10 to 255.4-1ubuntu8.11:
systemd (255.4-1ubuntu8.11) noble; urgency=medium
[ Nick Rosbrook ]
* initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)
* d/t/tests-in-lxd: drop patching workaround (LP: #2115263)
- d/t/control: add Depends: dnsmasq-base
(Revealed by test progressing past previous failure)
* initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)
Backport the logic from plucky onward, but adjust the version string for
noble.
* test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED
Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,
only targeting TEST-75-RESOLVED.
[ Matthew Ruffell ]
* pcrlock: handle measurement logs where hash algs in header.
Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs
(LP: #2115391)
[ Chengen Du ]
* network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist
(LP: #2115418)
[ Mario Limonciello ]
* Drop support for using actual brightness (LP: #2110585)
-- Nick Rosbrook <[email protected]> Fri, 11 Jul 2025 14:52:59 -0400
wpasupplicant (built from wpa) updated from 2:2.10-21ubuntu0.2 to 2:2.10-21ubuntu0.3:
wpa (2:2.10-21ubuntu0.3) noble; urgency=medium
* Bump DEFAULT_BSS_MAX_COUNT to 1000 (LP: #2117180)
-- Mitchell Augustin <[email protected]> Mon, 21 Jul 2025 18:13:31 -0500
01/10/2025, commit https://github.com/canonical/core-base/tree/3667c3306e20cafd7ee36075b3fb317f05fbec00
[ Changes in the core24 snap ]
No detected changes for the core24 snap
[ Changes in primed packages ]
cloud-init (built from cloud-init) updated from 25.1.4-0ubuntu0~24.04.1 to 25.2-0ubuntu1~24.04.1:
cloud-init (25.2-0ubuntu1~24.04.1) noble; urgency=medium
* add d/p/strip-invalid-mtu.patch
- Provides backwards compatibility for an otherwise invalid
MTU in a netplan config. (GH-6239)
* d/cloud-init.templates:
- Move VMware before OVF. See GH-4030
- Enable CloudCIX by default
* refresh patches:
- d/p/no-single-process.patch
* Upstream snapshot based on 25.2. (LP: #2120495).
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.2/ChangeLog
-- James Falcon <[email protected]> Tue, 12 Aug 2025 16:19:32 -0500
coreutils (built from coreutils) updated from 9.4-3ubuntu6 to 9.4-3ubuntu6.1:
coreutils (9.4-3ubuntu6.1) noble; urgency=medium
* d/p/suppress-permission-denied-errors-on-nfs.patch:
- Avoid returning permission denied errors when running ls -l when reading
file attributes. (LP: #2115274)
-- Ghadi Elie Rahme <[email protected]> Sun, 22 Jun 2025 16:21:39 +0000
dpkg (built from dpkg) updated from 1.22.6ubuntu6.1 to 1.22.6ubuntu6.5:
dpkg (1.22.6ubuntu6.5) noble-security; urgency=medium
[ Joy Latten ]
* SECURITY UPDATE:
- Fix cleanup for control member with restricted directories. LP: #2122053
- Fixes CVE-2025-6297
-- Serge Hallyn <[email protected]> Thu, 18 Sep 2025 12:43:59 -0500
dpkg (1.22.6ubuntu6.2) noble; urgency=medium
[ Zixing Liu ]
* Add RUSTFLAGS to define frame pointers for Rust toolchain (LP: #2082636).
* Replaces mainline version number 1.22.6ubuntu12 with 1.22.6ubuntu6.2 in
the documentation to avoid confusion with backported version.
[ Benjamin Drung ]
* buildflags: document RUSTFLAGS
* buildflags: Always set RUSTFLAGS
-- Zixing Liu <[email protected]> Thu, 26 Sep 2024 13:14:01 -0600
libc-bin, libc6:amd64, libc6:i386 (built from glibc) updated from 2.39-0ubuntu8.5 to 2.39-0ubuntu8.6:
glibc (2.39-0ubuntu8.6) noble-security; urgency=medium
* SECURITY UPDATE: double-free in regcomp function
- debian/patches/any/CVE-2025-8058.patch: fix double-free after
allocation failure in regcomp in posix/Makefile, posix/regcomp.c,
posix/tst-regcomp-bracket-free.c.
- CVE-2025-8058
-- Marc Deslauriers <[email protected]> Wed, 17 Sep 2025 10:55:42 -0400
openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.13 to 1:9.6p1-3ubuntu13.14:
openssh (1:9.6p1-3ubuntu13.14) noble; urgency=medium
* d/p/systemd-socket-activation.patch: allow AF_VSOCK sockets (LP: #2111226)
-- Nick Rosbrook <[email protected]> Tue, 26 Aug 2025 09:49:17 -0400
libssl3t64:amd64, openssl (built from openssl) updated from 3.0.13-0ubuntu3.5 to 3.0.13-0ubuntu3.6:
openssl (3.0.13-0ubuntu3.6) noble-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read & write in RFC 3211 KEK Unwrap
- debian/patches/CVE-2025-9230.patch: fix incorrect check of unwrapped
key size in crypto/cms/cms_pwri.c.
- CVE-2025-9230
-- Marc Deslauriers <[email protected]> Thu, 18 Sep 2025 07:12:48 -0400
libpam-modules-bin, libpam-modules:amd64, libpam-runtime, libpam0g:amd64 (built from pam) updated from 1.5.3-5ubuntu5.4 to 1.5.3-5ubuntu5.5:
pam (1.5.3-5ubuntu5.5) noble-security; urgency=medium
* SECURITY UPDATE: pam_access hostname confusion
- debian/patches/CVE-2024-10963.patch: add "nodns" option to disallow
resolving of tokens as hostname in
modules/pam_access/access.conf.5.xml,
modules/pam_access/pam_access.8.xml,
modules/pam_access/pam_access.c.
- CVE-2024-10963
-- Marc Deslauriers <[email protected]> Mon, 15 Sep 2025 08:37:15 -0400
libsqlite3-0:amd64 (built from sqlite3) updated from 3.45.1-1ubuntu2.4 to 3.45.1-1ubuntu2.5:
sqlite3 (3.45.1-1ubuntu2.5) noble-security; urgency=medium
* SECURITY UPDATE: integer overflow in FTS5 extension
- debian/patches/CVE-2025-7709.patch: optimize allocation of large
tombstone arrays in fts5 in ext/fts5/fts5_index.c.
- CVE-2025-7709
-- Marc Deslauriers <[email protected]> Thu, 11 Sep 2025 14:06:42 -0400
vim-common, vim-tiny (built from vim) updated from 2:9.1.0016-1ubuntu7.8 to 2:9.1.0016-1ubuntu7.9:
vim (2:9.1.0016-1ubuntu7.9) noble-security; urgency=medium
* SECURITY UPDATE: Path traversal when opening specially crafted tar/zip
archives.
- debian/patches/CVE-2025-53905.patch: remove leading slashes from name,
replace tar_secure with g:tar_secure in runtime/autoload/tar.vim.
- debian/patches/CVE-2025-53906.patch: Add need_rename, replace w! with w,
call warning for path traversal attack, and escape leading "../" in
runtime/autoload/zip.vim.
- CVE-2025-53905
- CVE-2025-53906
-- Hlib Korzhynskyy <[email protected]> Fri, 05 Sep 2025 17:14:46 -0230
29/08/2025, commit https://github.com/canonical/core-base/tree/3667c3306e20cafd7ee36075b3fb317f05fbec00
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (4):
.github/workflows/release-manual.yaml: remove scheduled builds
get-version.sh: filter by _$branch suffix when looking at tags
hooks/001-extra-packages.chroot: add back libtirpc3t64
snapcraft.yaml: move to 24.04.3 base
Valentin David (2):
spread.yaml: Sync google-nested-arm with snapd
static: copy udev disk rules from core-initrd
[ Changes in primed packages ]
base-files (built from base-files) updated from 13ubuntu10.2 to 13ubuntu10.3:
base-files (13ubuntu10.3) noble; urgency=medium
* /etc/issue{,.net}, /etc/{lsb,os}-release: bump version to 24.04.3
(LP: #2119314)
-- Ural Tunaboyu <[email protected]> Fri, 01 Aug 2025 07:21:11 -0700
cloud-init (built from cloud-init) updated from 25.1.2-0ubuntu0~24.04.1 to 25.1.4-0ubuntu0~24.04.1:
cloud-init (25.1.4-0ubuntu0~24.04.1) noble-security; urgency=medium
* Upstream snapshot based on 25.1.4.
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog
- Bugs fixed in this snapshot:
+ fix: disable cloud-init when non-x86 environments have no DMI-data
and no strict datasources detected (LP: #2069607) (CVE-2024-6174)
-- Chad Smith <[email protected]> Tue, 24 Jun 2025 15:14:03 -0600
cloud-init (25.1.3-0ubuntu0~24.04.1) noble-security; urgency=medium
* d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only
share dir (CVE-2024-11584)
* Upstream security bugfix release based on 25.1.3.
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog
- Bugs fixed in this snapshot:
- security: make hotplug socket only writable by root (LP: #2114229)
(CVE-2024-11584)
- security: make ds-identify behavior strict datasource discovery on
non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)
-- Chad Smith <[email protected]> Thu, 12 Jun 2025 20:24:45 -0600
iproute2 (built from iproute2) updated from 6.1.0-1ubuntu6 to 6.1.0-1ubuntu6.2:
iproute2 (6.1.0-1ubuntu6.2) noble; urgency=medium
* Do not use stdout to print info about default fan map usage (LP: #2115790)
- d/p/1003-ubuntu-poc-fan-dynamic-map.patch
-- Stefan Bader <[email protected]> Thu, 10 Jul 2025 16:46:54 +0200
iproute2 (6.1.0-1ubuntu6.1) noble; urgency=medium
* Expose IFLA_VXLAN_FAN_MAP version via sysctl/proc (LP: #2106115)
- d/p/1003-ubuntu-poc-fan-dynamic-map.patch
-- Stefan Bader <[email protected]> Thu, 26 Jun 2025 16:35:31 +0200
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.7 to 3.12.3-1ubuntu0.8:
python3.12 (3.12.3-1ubuntu0.8) noble-security; urgency=medium
* SECURITY UPDATE: Regular expression denial of service.
- debian/patches/CVE-2025-6069.patch: Improve regex parsing in
Lib/html/parser.py.
- CVE-2025-6069
* SECURITY UPDATE: Infinite loop when parsing tar archives.
- debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in
Lib/tarfile.py.
- CVE-2025-8194
-- Hlib Korzhynskyy <[email protected]> Thu, 14 Aug 2025 15:17:21 -0230
29/07/2025, commit https://github.com/canonical/core-base/tree/e164b892c0535598c3712caa2ecdea0667dfdfc7
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (11):
snapcraft.yaml: set version from date tag if present
.github/workflows/release.yaml: add release job
.github/workflows/release.yaml: run rebuild base job each day
.github/workflows/tests.yaml: fix runners filtering
.github/workflows/release.yaml: fix typo
static/secureboot-db.service: check mode by looking at modeenv
static: check mode by looking at modeenv in several services
tests: prepare for installation from initramfs
.github/workflows: we do not need spread-arm anymore
.github/workflows: add manual release job, remove old release one
.github/workflows/release-manual: fix typo
Philip Meulengracht (1):
tools: aggregate old changelogs
[ Changes in primed packages ]
libc-bin, libc6:amd64, libc6:i386 (built from glibc) updated from 2.39-0ubuntu8.4 to 2.39-0ubuntu8.5:
glibc (2.39-0ubuntu8.5) noble-security; urgency=medium
* SECURITY UPDATE: insecure power10 strcmp implementation
- debian/patches/any/CVE-2025-5702.patch: remove power10 optimized
strcmp.
- CVE-2025-5702
* Moved other security patches to debian/patches/any.
-- Marc Deslauriers <[email protected]> Wed, 09 Jul 2025 12:47:47 -0400
gpgv (built from gnupg2) updated from 2.4.4-2ubuntu17.2 to 2.4.4-2ubuntu17.3:
gnupg2 (2.4.4-2ubuntu17.3) noble-security; urgency=medium
* debian/patches/fix-key-validity-regression-due-to-CVE-2025-
30258.patch:
- Fix a key validity regression following patches for CVE-2025-30258,
causing trusted "certify-only" primary keys to be ignored when checking
signature on user IDs and computing key validity. This regression makes
imported keys signed by a trusted "certify-only" key have an unknown
validity (LP: #2114775).
-- dcpi <dcpi@u22vm> Thu, 26 Jun 2025 13:17:22 +0000
gnutls-bin, libgnutls-dane0t64:amd64, libgnutls30t64:amd64 (built from gnutls28) updated from 3.8.3-1.1ubuntu3.3 to 3.8.3-1.1ubuntu3.4:
gnutls28 (3.8.3-1.1ubuntu3.4) noble-security; urgency=medium
* SECURITY UPDATE: double-free via otherName in the SAN
- debian/patches/CVE-2025-32988.patch: avoid double free when exporting
othernames in SAN in lib/x509/extensions.c.
- CVE-2025-32988
* SECURITY UPDATE: OOB read via malformed length field in SCT extension
- debian/patches/CVE-2025-32989.patch: fix read buffer overrun in SCT
timestamps in lib/x509/x509_ext.c.
- CVE-2025-32989
* SECURITY UPDATE: heap write overflow in certtool via invalid template
- debian/patches/CVE-2025-32990.patch: avoid 1-byte write buffer
overrun when parsing template in src/certtool-cfg.c,
tests/cert-tests/Makefile.am, tests/cert-tests/template-test.sh,
tests/cert-tests/templates/template-too-many-othernames.tmpl.
- CVE-2025-32990
* SECURITY UPDATE: NULL deref via missing PSK in TLS 1.3 handshake
- debian/patches/CVE-2025-6395.patch: clear HSK_PSK_SELECTED when
resetting binders in lib/handshake.c, lib/state.c, tests/Makefile.am,
tests/tls13/hello_retry_request_psk.c.
- CVE-2025-6395
-- Marc Deslauriers <[email protected]> Fri, 11 Jul 2025 08:58:05 -0400
gzip (built from gzip) updated from 1.12-1ubuntu3 to 1.12-1ubuntu3.1:
gzip (1.12-1ubuntu3.1) noble; urgency=medium
* d/p/0001-maint-fix-s390-buffer-flushes.patch: align the behavior of
dfltcc_inflate to do the same as gzip_inflate when it hits a premature EOF
(LP: #2083700)
-- Andreas Hasenack <[email protected]> Mon, 27 Jan 2025 13:56:44 -0300
iputils-ping (built from iputils) updated from 3:20240117-1build1 to 3:20240117-1ubuntu0.1:
iputils (3:20240117-1ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: DoS via crafted ICMP Echo Reply packet
- debian/patches/CVE-2025-47268: fix signed 64-bit integer overflow in
RTT calculation in iputils_common.h, ping/ping_common.c.
- debian/patches/CVE-2025-48964.patch: fix moving average rtt
calculation in iputils_common.h, ping/ping.h, ping/ping_common.c.
- CVE-2025-47268
- CVE-2025-48964
-- Marc Deslauriers <[email protected]> Thu, 24 Jul 2025 07:51:16 -0400
libpciaccess0:amd64 (built from libpciaccess) updated from 0.17-3build1 to 0.17-3ubuntu0.24.04.2:
libpciaccess (0.17-3ubuntu0.24.04.2) noble; urgency=medium
* Revert to 0.17-3build1 since the previous update appears to cause
inability to log in to the desktop on some systems (LP: #2115574)
-- Jeremy Bícha <[email protected]> Mon, 30 Jun 2025 11:55:17 -0400
libpciaccess (0.17-3ubuntu0.24.04.1) noble; urgency=medium
* AMD platform A + N config selected wrong primary GPU in Xorg (LP: #2111684)
d/p/0001-linux_sysfs-Identify-boot_vga-by-acpi-companion-hid.patch
-- Kai-Chuan Hsieh <[email protected]> Tue, 03 Jun 2025 17:23:44 +0800
libnetplan1:amd64, netplan-generator, netplan.io, python3-netplan (built from netplan.io) updated from 1.1.2-2~ubuntu24.04.1 to 1.1.2-2~ubuntu24.04.2:
netplan.io (1.1.2-2~ubuntu24.04.2) noble; urgency=medium
* Add integration tests for `netplan try`
- d/p/lp2083029/0007-tests-integration-netplan-try.patch
* Fix networkd file permissions during `netplan try` restore (LP: #2083029)
- d/p/lp2083029/0008-cli-ConfigManager-must-copy-file-ownership.patch
* Prevent netplan-generate from running during `netplan try` (LP: #2083029)
- d/p/lp2083029/0009-generate-Don-t-run-during-netplan-try.patch
-- Wesley Hershberger <[email protected]> Thu, 17 Apr 2025 10:46:08 -0500
openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.12 to 1:9.6p1-3ubuntu13.13:
openssh (1:9.6p1-3ubuntu13.13) noble; urgency=medium
* Explicitly listen on IPv4 by default, with socket-activated sshd
(LP: #2080216)
- d/systemd/ssh.socket: explicitly listen on ipv4 by default
- d/t/sshd-socket-generator: update for new defaults and AddressFamily
- sshd-socket-generator: handle new ssh.socket default settings
-- Nick Rosbrook <[email protected]> Mon, 09 Jun 2025 13:22:39 -0400
python3-urllib3 (built from python-urllib3) updated from 2.0.7-1ubuntu0.1 to 2.0.7-1ubuntu0.2:
python-urllib3 (2.0.7-1ubuntu0.2) noble-security; urgency=medium
* SECURITY UPDATE: Information disclosure through improperly disabled
redirects.
- debian/patches/CVE-2025-50181.patch: Add "retries" check and set retries
to Retry.from_int(retries, redirect=False) as well as set
raise_on_redirect in ./src/urllib3/poolmanager.py.
- CVE-2025-50181
-- Hlib Korzhynskyy <[email protected]> Mon, 23 Jun 2025 16:34:35 -0230
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.6 to 3.12.3-1ubuntu0.7:
python3.12 (3.12.3-1ubuntu0.7) noble-security; urgency=medium
* SECURITY UPDATE: Arbitrary filesystem and metadata write through improper
tar filtering.
- debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in
./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter
to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and
unfiltered to ./Lib/tarfile.py. Modify tests.
- CVE-2024-12718
- CVE-2025-4138
- CVE-2025-4330
- CVE-2025-4435
- CVE-2025-4517
-- Hlib Korzhynskyy <[email protected]> Wed, 18 Jun 2025 15:29:45 -0230
libsqlite3-0:amd64 (built from sqlite3) updated from 3.45.1-1ubuntu2.3 to 3.45.1-1ubuntu2.4:
sqlite3 (3.45.1-1ubuntu2.4) noble-security; urgency=medium
* SECURITY UPDATE: Memory corruption via number of aggregate terms
- debian/patches/CVE-2025-6965.patch: raise an error right away if the
number of aggregate terms in a query exceeds the maximum number of
columns in src/expr.c, src/sqliteInt.h.
- CVE-2025-6965
-- Marc Deslauriers <[email protected]> Fri, 18 Jul 2025 10:56:16 -0400
sudo (built from sudo) updated from 1.9.15p5-3ubuntu5 to 1.9.15p5-3ubuntu5.24.04.1:
sudo (1.9.15p5-3ubuntu5.24.04.1) noble-security; urgency=medium
* SECURITY UPDATE: Local Privilege Escalation via host option
- debian/patches/CVE-2025-32462.patch: only allow specifying a host
when listing privileges.
- CVE-2025-32462
* SECURITY UPDATE: Local Privilege Escalation via chroot option
- debian/patches/CVE-2025-32463.patch: remove user-selected root
directory chroot option.
- CVE-2025-32463
-- Marc Deslauriers <[email protected]> Wed, 25 Jun 2025 08:42:53 -0400
libpam-systemd:amd64, libsystemd-shared:amd64, libsystemd0:amd64, libudev1:amd64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.8 to 255.4-1ubuntu8.10:
systemd (255.4-1ubuntu8.10) noble; urgency=medium
* Fix regression in networkctl caused by previous upload:
A regression was introduced due to an incorrect manager reference being passed to
manager_get_route_table_to_string() within route_append_json(), resulting in an
error when executing the `networkctl --json=pretty` command.
> networkctl --json=pretty
Failed to get description: Message recipient disconnected from message bus without replying
-- Chengen Du <[email protected]> Wed, 02 Jul 2025 10:04:32 -0400
systemd (255.4-1ubuntu8.9) noble; urgency=medium
* Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set
(LP: #2098183)
- d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch
- d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch
- d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch
- d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch
- d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch
- d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch
- d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch
- d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch
- d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch
- d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch
- d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch
- d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch
- d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch
-- Chengen Du <[email protected]> Mon, 09 Jun 2025 13:44:06 -0400
bsdutils, fdisk, libblkid1:amd64, libfdisk1:amd64, libmount1:amd64, libsmartcols1:amd64, libuuid1:amd64, mount, rfkill, util-linux (built from util-linux) updated from 1:2.39.3-9ubuntu6.2 to 1:2.39.3-9ubuntu6.3:
18/06/2025, commit https://git.launchpad.net/snap-core24/tree/f9ca904d1e47c062780620e0060063d8a54646dd
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (1):
.github,tests: do not rebuild base for each test
[ Changes in primed packages ]
libapt-pkg6.0t64:amd64 (built from apt) updated from 2.7.14build2 to 2.8.3:
apt (2.8.3) noble; urgency=medium
* Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126)
- Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment"
- Revert "Only warn about <rsa2048 when upgrading from 2.7.x to 2.8.x"
- Revert rsa1024 to warnings again
This leaves the mechanisms in place and no longer warns about NIST curves.
* Fix keeping back removals of obsolete packages; and return an error if
ResolveByKeep() is unsuccessful (LP: #2078720)
* Fix buffer overflow, stack overflow, exponential complexity in
apt-ftparchive Contents generation (LP: #2083697)
- ftparchive: Mystrdup: Add safety check and bump buffer size
- ftparchive: contents: Avoid exponential complexity and overflows
- test framework: Improve valgrind support
- test: Check that apt-ftparchive handles deep paths
- Workaround valgrind "invalid read" in ExtractTar::Go by moving large
buffer from stack to heap. The large buffer triggered some bugs in
valgrind stack clash protection handling.
-- Julian Andres Klode <[email protected]> Tue, 22 Oct 2024 15:02:22 +0200
apt (2.8.2) noble; urgency=medium
* Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment
(follow-up for LP: #2073126)
-- Julian Andres Klode <[email protected]> Tue, 13 Aug 2024 16:47:13 +0200
apt (2.8.1) noble; urgency=medium
* Only revoke weak RSA keys for now, add 'next' and 'future' levels
(backported from 2.9.7)
Note that the changes to warn about keys not matching the future level
in the --audit level are not fully included, as the --audit feature
has not yet been backported. (LP: #2073126)
* Introduce further mitigation on upgrades from 2.7.x to allow these
systems to continue using rsa1024 repositories with warnings
until the 24.04.2 point release (LP: #2073126)
-- Julian Andres Klode <[email protected]> Tue, 30 Jul 2024 17:12:00 +0900
apt (2.8.0) noble; urgency=medium
[ Julian Andres Klode ]
* Revert "Temporarily downgrade key assertions to "soon worthless""
We temporarily downgraded the errors to warnings to give the
launchpad PPAs time to be fixed, but warnings are not safe:
Untrusted keys could be hiding on your system, but just not
used at the moment. Hence revert this so we get the errors we
want. (LP: #2060721)
* Branch off the stable 2.8.y branch for noble:
- CI: Test in ubuntu:noble images for 2.8.y
- debian/gbp.conf: Point at the 2.8.y branch
[ David Kalnischkies ]
* Test suite fixes:
- Avoid subshell hiding failure report from testfilestats
- Ignore umask of leftover diff_Index in failed pdiff test
* Documentation translation fixes:
- Fix and unfuzzy previous VCG/Graphviz URI change
-- Julian Andres Klode <[email protected]> Tue, 16 Apr 2024 16:59:14 +0200
cloud-init (built from cloud-init) updated from 24.4.1-0ubuntu0~24.04.3 to 25.1.2-0ubuntu0~24.04.1:
cloud-init (25.1.2-0ubuntu0~24.04.1) noble; urgency=medium
* Upstream snapshot based on 25.1.2. (LP: #2104165).
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.2/ChangeLog
-- James Falcon <[email protected]> Mon, 19 May 2025 15:00:58 -0500
cloud-init (25.1.1-0ubuntu1~24.04.1) noble; urgency=medium
* Drop cpicks which are now upstream:
- cpick-d75840be-fix-retry-AWS-hotplug-for-async-IMDS-5995
- cpick-84806336-chore-Add-feature-flag-for-manual-network-waiting
- d/p/cpick-c60771d8-test-pytestify-test_url_helper.py
- d/p/cpick-8810a2dc-test-Remove-CiTestCase-from-test_url_helper.py
- d/p/cpick-582f16c1-test-add-OauthUrlHelper-tests
- d/p/cpick-9311e066-fix-Update-OauthUrlHelper-to-use-readurl-exception_cb
* refresh patches
- d/p/deprecation-version-boundary.patch
- d/p/grub-dpkg-support.patch
- d/p/no-nocloud-network.patch
- d/p/no-single-process.patch
* sort hunks within all patches (--sort on quilt refresh)
* Upstream snapshot based on 25.1.1.
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.1/ChangeLog
-- Chad Smith <[email protected]> Tue, 25 Mar 2025 11:02:28 -0600
libgssapi-krb5-2:amd64, libk5crypto3:amd64, libkrb5-3:amd64, libkrb5support0:amd64 (built from krb5) updated from 1.20.1-6ubuntu2.5 to 1.20.1-6ubuntu2.6:
krb5 (1.20.1-6ubuntu2.6) noble-security; urgency=medium
* SECURITY UPDATE: Use of weak cryptographic hash.
- debian/patches/CVE-2025-3576.patch: Add allow_des3 and allow_rc4 options.
Disallow usage of des3 and rc4 unless allowed in the config. Replace
warn_des3 with warn_deprecated in ./src/lib/krb5/krb/get_in_tkt.c. Add
allow_des3 and allow_rc4 boolean in ./src/include/k5-int.h. Prevent usage
of deprecated enctypes in ./src/kdc/kdc_util.c.
- debian/patches/CVE-2025-3576-post1.patch: Add enctype comparison with
ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ./src/kdc/kdc_util.c.
- CVE-2025-3576
-- Hlib Korzhynskyy <[email protected]> Thu, 15 May 2025 10:09:20 +0200
openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.11 to 1:9.6p1-3ubuntu13.12:
openssh (1:9.6p1-3ubuntu13.12) noble; urgency=medium
* d/p/sshd-socket-generator.patch: add note to sshd_config
Explain that a systemctl daemon-reload is needed for changes
to Port et al to take effect.
(LP: #2069041)
-- Nick Rosbrook <[email protected]> Tue, 29 Apr 2025 10:57:04 -0400
libpam-modules-bin, libpam-modules:amd64, libpam-runtime, libpam0g:amd64 (built from pam) updated from 1.5.3-5ubuntu5.1 to 1.5.3-5ubuntu5.4:
pam (1.5.3-5ubuntu5.4) noble-security; urgency=medium
* SECURITY UPDATE: privilege escalation via pam_namespace
- debian/patches/pam_namespace_170.patch: sync pam_namespace module to
version 1.7.0.
- debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes
from upstream git tree.
- debian/patches/pam_namespace_revert_abi.patch: revert ABI change to
prevent unintended issues in running daemons.
- debian/patches/CVE-2025-6020-1.patch: fix potential privilege
escalation.
- debian/patches/CVE-2025-6020-2.patch: add flags to indicate path
safety.
- debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at
the group ownership.
- debian/patches/pam_namespace_o_directory.patch: removed, included in
patch cluster above.
- CVE-2025-6020
-- Marc Deslauriers <[email protected]> Thu, 12 Jun 2025 10:45:28 -0400
pam (1.5.3-5ubuntu5.2) noble; urgency=medium
* d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827)
-- Simon Chopin <[email protected]> Mon, 26 May 2025 16:34:46 +0200
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.5 to 3.12.3-1ubuntu0.6:
python3.12 (3.12.3-1ubuntu0.6) noble-security; urgency=medium
* SECURITY UPDATE: incorrect address list folding
- debian/patches/CVE-2025-1795-2.patch: fix AttributeError in the email
module in Lib/email/_header_value_parser.py,
Lib/test/test_email/test__header_value_parser.py.
- CVE-2025-1795
* SECURITY UPDATE: DoS via bytes.decode with unicode_escape
- debian/patches/CVE-2025-4516.patch: fix use-after-free in the
unicode-escape decoder with an error handler in
Include/cpython/bytesobject.h, Include/cpython/unicodeobject.h,
Lib/test/test_codeccallbacks.py, Lib/test/test_codecs.py,
Objects/bytesobject.c, Objects/unicodeobject.c,
Parser/string_parser.c.
- CVE-2025-4516
-- Marc Deslauriers <[email protected]> Mon, 26 May 2025 14:50:19 -0400
python3-requests (built from requests) updated from 2.31.0+dfsg-1ubuntu1 to 2.31.0+dfsg-1ubuntu1.1:
requests (2.31.0+dfsg-1ubuntu1.1) noble-security; urgency=medium
* SECURITY UPDATE: Information Leak
- debian/patches/CVE-2024-47081.patch: Only use hostname to do netrc
lookup instead of netloc
- CVE-2024-47081
* Skip Test
- skip-failing-zip-test.patch: Skip failing zip test
-- Bruce Cable <[email protected]> Thu, 12 Jun 2025 11:19:32 +1000
python3-pkg-resources (built from setuptools) updated from 68.1.2-2ubuntu1.1 to 68.1.2-2ubuntu1.2:
setuptools (68.1.2-2ubuntu1.2) noble-security; urgency=medium
* SECURITY UPDATE: path traversal vulnerability
- debian/patches/CVE-2025-47273-pre1.patch: Extract
_resolve_download_filename with test.
- debian/patches/CVE-2025-47273.patch: Add a check to ensure the name
resolves relative to the tmpdir.
- CVE-2025-47273
-- Fabian Toepfer <[email protected]> Wed, 28 May 2025 19:00:32 +0200
libpam-systemd:amd64, libsystemd-shared:amd64, libsystemd0:amd64, libudev1:amd64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.6 to 255.4-1ubuntu8.8:
systemd (255.4-1ubuntu8.8) noble-security; urgency=medium
* SECURITY UPDATE: race condition in systemd-coredump
- debian/patches/CVE_2025_4598_1.patch: coredump: get rid of
_META_MANDATORY_MAX.
- debian/patches/CVE_2025_4598_2.patch: coredump: use %d in kernel core
pattern.
- debian/patches/CVE_2025_4598_3.patch: coredump: also stop forwarding
non-dumpable processes.
- debian/patches/CVE_2025_4598_4.patch: coredump: get rid of a bogus
assertion.
- CVE-2025-4598
* this update does not include the changes from 255.4-1ubuntu8.7 as included in noble-proposed
-- Octavio Galland <[email protected]> Wed, 04 Jun 2025 09:24:15 -0300
tzdata (built from tzdata) updated from 2025b-0ubuntu0.24.04 to 2025b-0ubuntu0.24.04.1:
tzdata (2025b-0ubuntu0.24.04.1) noble; urgency=medium
* Update the ICU timezone data to 2025b (LP: #2107950)
* Add autopkgtest test case for ICU timezone data 2025b
-- Benjamin Drung <[email protected]> Tue, 22 Apr 2025 12:11:08 +0200