{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-7.0.0-15", "linux-headers-7.0.0-15-generic", "linux-image-7.0.0-15-generic", "linux-main-modules-zfs-7.0.0-15-generic", "linux-modules-7.0.0-15-generic", "linux-tools-7.0.0-15", "linux-tools-7.0.0-15-generic" ], "removed": [ "linux-headers-7.0.0-14", "linux-headers-7.0.0-14-generic", "linux-image-7.0.0-14-generic", "linux-main-modules-zfs-7.0.0-14-generic", "linux-modules-7.0.0-14-generic", "linux-tools-7.0.0-14", "linux-tools-7.0.0-14-generic" ], "diff": [ "base-files", "bpftool", "curl", "distro-info-data", "gir1.2-packagekitglib-1.0", "jq", "libcurl3t64-gnutls", "libcurl4t64", "libgnutls30t64", "libjq1", "libnghttp2-14", "libntfs-3g89t64", "libpackagekit-glib2-18", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-libc-dev", "linux-perf", "linux-tools-common", "linux-virtual", "motd-news-config", "ntfs-3g", "openssh-client", "openssh-server", "openssh-sftp-server", "packagekit", "python3-distupgrade", "rsync", "sed", "ubuntu-release-upgrader-core", "vim", "vim-common", "vim-runtime", "vim-tiny", "xxd" ] } }, "diff": { "deb": [ { "name": "base-files", "from_version": { "source_package_name": "base-files", "source_package_version": "14ubuntu6", "version": "14ubuntu6" }, "to_version": { "source_package_name": "base-files", "source_package_version": "14ubuntu6.1", "version": "14ubuntu6.1" }, "cves": [], "launchpad_bugs_fixed": [ 2150561 ], "changes": [ { "cves": [], "log": [ "", " * /etc/os-release: Fix missing LTS in VERSION (LP: #2150561)", "" ], "package": "base-files", "version": "14ubuntu6.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150561 ], "author": "Oliver Reiche ", "date": "Fri, 24 Apr 2026 11:24:55 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "bpftool", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.7.0+7.0.0-14.14" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.7.0+7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2", "version": "8.18.0-1ubuntu2" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2.1", "version": "8.18.0-1ubuntu2.1" }, "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host will bypass the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for a HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. Similar to CVE-2024-11053.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "cross-proxy Digest auth state leak", "cve_priority": "medium", "cve_public_date": "2026-04-29" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host will bypass the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for a HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. Similar to CVE-2024-11053.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "cross-proxy Digest auth state leak", "cve_priority": "medium", "cve_public_date": "2026-04-29" } ], "log": [ "", " * SECURITY UPDATE: connection reuse ignores TLS requirement", " - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls", " connection if new requires TLS in lib/url.c.", " - CVE-2026-4873", " * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-5545.patch: improve connection reuse on", " negotiate in lib/url.c.", " - CVE-2026-5545", " * SECURITY UPDATE: wrong reuse of SMB connection", " - debian/patches/CVE-2026-5773.patch: disable connection reuse for", " SMB(S) in lib/smb.c.", " - CVE-2026-5773", " * SECURITY UPDATE: proxy credentials leak over redirect-to proxy", " - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code", " in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/*.", " - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB", " use in tests/data/test445.", " - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as", " well on port or scheme change in lib/http.c, lib/transfer.*, tests/*.", " - CVE-2026-6253", " * SECURITY UPDATE: stale custom cookie host causes cookie leak", " - debian/patches/CVE-2026-6276.patch: move cookiehost to struct", " SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c,", " lib/urldata.h, tests/*.", " - CVE-2026-6276", " * SECURITY UPDATE: netrc credential leak with reused proxy connection", " - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes", " pushed over insecure connections in lib/http2.c.", " - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in", " lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.", " - debian/patches/CVE-2026-6429.patch: clear credentials better on", " redirect in lib/http.c, tests/*.", " - CVE-2026-6429", " * SECURITY UPDATE: cross-proxy Digest auth state leak", " - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when", " switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.", " - CVE-2026-7168", "" ], "package": "curl", "version": "8.18.0-1ubuntu2.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 29 Apr 2026 07:35:43 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "distro-info-data", "from_version": { "source_package_name": "distro-info-data", "source_package_version": "0.68build1", "version": "0.68build1" }, "to_version": { "source_package_name": "distro-info-data", "source_package_version": "0.68ubuntu0.1", "version": "0.68ubuntu0.1" }, "cves": [], "launchpad_bugs_fixed": [ 2150234 ], "changes": [ { "cves": [], "log": [ "", " * Add Ubuntu 26.10 \"Stonking Stingray\" (LP: #2150234)", "" ], "package": "distro-info-data", "version": "0.68ubuntu0.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150234 ], "author": "Oliver Reiche ", "date": "Tue, 28 Apr 2026 13:30:01 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-packagekitglib-1.0", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3", "version": "1.3.4-3" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1", "version": "1.3.4-3ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2148512 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY UPDATE: TOCTOU Race on Transaction Flags (LP: #2148512)", " - debian/patches/Do-not-allow-re-invoking-methods-on-non-new-txn.patch:", " do not allow re-invoking methods on non-new transactions in", " src/pk-transaction.c.", " - CVE number pending", "" ], "package": "packagekit", "version": "1.3.4-3ubuntu1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [ 2148512 ], "author": "Marc Deslauriers ", "date": "Mon, 20 Apr 2026 07:22:37 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "jq", "from_version": { "source_package_name": "jq", "source_package_version": "1.8.1-4ubuntu1", "version": "1.8.1-4ubuntu1" }, "to_version": { "source_package_name": "jq", "source_package_version": "1.8.1-4ubuntu2", "version": "1.8.1-4ubuntu2" }, "cves": [ { "cve": "CVE-2026-32316", "url": "https://ubuntu.com/security/CVE-2026-32316", "cve_description": "jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.", "cve_priority": "medium", "cve_public_date": "2026-04-13 18:16:00 UTC" }, { "cve": "CVE-2026-33947", "url": "https://ubuntu.com/security/CVE-2026-33947", "cve_description": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-33948", "url": "https://ubuntu.com/security/CVE-2026-33948", "cve_description": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" }, { "cve": "CVE-2026-39956", "url": "https://ubuntu.com/security/CVE-2026-39956", "cve_description": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-39979", "url": "https://ubuntu.com/security/CVE-2026-39979", "cve_description": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-40164", "url": "https://ubuntu.com/security/CVE-2026-40164", "cve_description": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-32316", "url": "https://ubuntu.com/security/CVE-2026-32316", "cve_description": "jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.", "cve_priority": "medium", "cve_public_date": "2026-04-13 18:16:00 UTC" }, { "cve": "CVE-2026-33947", "url": "https://ubuntu.com/security/CVE-2026-33947", "cve_description": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-33948", "url": "https://ubuntu.com/security/CVE-2026-33948", "cve_description": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" }, { "cve": "CVE-2026-39956", "url": "https://ubuntu.com/security/CVE-2026-39956", "cve_description": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-39979", "url": "https://ubuntu.com/security/CVE-2026-39979", "cve_description": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-40164", "url": "https://ubuntu.com/security/CVE-2026-40164", "cve_description": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Overflow", " - debian/patches/CVE-2026-32316.patch: Fix heap buffer overflow in", " `jvp_string_append` and `jvp_string_copy_replace_bad`", " - CVE-2026-32316", " * SECURITY UPDATE: Stack Buffer Overflow", " - debian/patches/CVE-2026-33947.patch: Limit path depth to prevent", " stack overflow", " - CVE-2026-33947", " * SECURITY UPDATE: Improper Null Termination", " - debian/patches/CVE-2026-33948.patch: Fix NUL truncation in the", " JSON parser", " - CVE-2026-33948", " * SECURITY UPDATE: Out of Bounds Read", " - debian/patches/CVE-2026-39956.patch: Add runtime type checks to", " f_string_indexes", " - debian/patches/CVE-2026-39979.patch: Fix out-of-bounds read in", " jv_parse_sized()", " - CVE-2026-39956", " - CVE-2026-39979", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2026-40164.patch: Randomize hash seed to", " mitigate hash collision DoS attacks", " - CVE-2026-40164", "" ], "package": "jq", "version": "1.8.1-4ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 20 Apr 2026 17:13:52 +1000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl3t64-gnutls", "from_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2", "version": "8.18.0-1ubuntu2" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2.1", "version": "8.18.0-1ubuntu2.1" }, "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host will bypass the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for a HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. Similar to CVE-2024-11053.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "cross-proxy Digest auth state leak", "cve_priority": "medium", "cve_public_date": "2026-04-29" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host will bypass the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for a HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. Similar to CVE-2024-11053.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "cross-proxy Digest auth state leak", "cve_priority": "medium", "cve_public_date": "2026-04-29" } ], "log": [ "", " * SECURITY UPDATE: connection reuse ignores TLS requirement", " - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls", " connection if new requires TLS in lib/url.c.", " - CVE-2026-4873", " * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-5545.patch: improve connection reuse on", " negotiate in lib/url.c.", " - CVE-2026-5545", " * SECURITY UPDATE: wrong reuse of SMB connection", " - debian/patches/CVE-2026-5773.patch: disable connection reuse for", " SMB(S) in lib/smb.c.", " - CVE-2026-5773", " * SECURITY UPDATE: proxy credentials leak over redirect-to proxy", " - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code", " in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/*.", " - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB", " use in tests/data/test445.", " - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as", " well on port or scheme change in lib/http.c, lib/transfer.*, tests/*.", " - CVE-2026-6253", " * SECURITY UPDATE: stale custom cookie host causes cookie leak", " - debian/patches/CVE-2026-6276.patch: move cookiehost to struct", " SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c,", " lib/urldata.h, tests/*.", " - CVE-2026-6276", " * SECURITY UPDATE: netrc credential leak with reused proxy connection", " - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes", " pushed over insecure connections in lib/http2.c.", " - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in", " lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.", " - debian/patches/CVE-2026-6429.patch: clear credentials better on", " redirect in lib/http.c, tests/*.", " - CVE-2026-6429", " * SECURITY UPDATE: cross-proxy Digest auth state leak", " - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when", " switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.", " - CVE-2026-7168", "" ], "package": "curl", "version": "8.18.0-1ubuntu2.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 29 Apr 2026 07:35:43 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcurl4t64", "from_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2", "version": "8.18.0-1ubuntu2" }, "to_version": { "source_package_name": "curl", "source_package_version": "8.18.0-1ubuntu2.1", "version": "8.18.0-1ubuntu2.1" }, "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host will bypass the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for a HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. Similar to CVE-2024-11053.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "cross-proxy Digest auth state leak", "cve_priority": "medium", "cve_public_date": "2026-04-29" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4873", "url": "https://ubuntu.com/security/CVE-2026-4873", "cve_description": "A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host will bypass the TLS requirement and instead transmit data unencrypted.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5545", "url": "https://ubuntu.com/security/CVE-2026-5545", "cve_description": "libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-5773", "url": "https://ubuntu.com/security/CVE-2026-5773", "cve_description": "libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6253", "url": "https://ubuntu.com/security/CVE-2026-6253", "cve_description": "curl might erroneously pass on credentials for a first proxy to a second proxy.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6276", "url": "https://ubuntu.com/security/CVE-2026-6276", "cve_description": "Using libcurl, when a custom `Host:` header is first set for a HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.", "cve_priority": "low", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-6429", "url": "https://ubuntu.com/security/CVE-2026-6429", "cve_description": "When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. Similar to CVE-2024-11053.", "cve_priority": "medium", "cve_public_date": "2026-04-29 14:00:00 UTC" }, { "cve": "CVE-2026-7168", "url": "https://ubuntu.com/security/CVE-2026-7168", "cve_description": "cross-proxy Digest auth state leak", "cve_priority": "medium", "cve_public_date": "2026-04-29" } ], "log": [ "", " * SECURITY UPDATE: connection reuse ignores TLS requirement", " - debian/patches/CVE-2026-4873.patch: do not reuse a non-tls starttls", " connection if new requires TLS in lib/url.c.", " - CVE-2026-4873", " * SECURITY UPDATE: wrong reuse of HTTP Negotiate connection", " - debian/patches/CVE-2026-5545.patch: improve connection reuse on", " negotiate in lib/url.c.", " - CVE-2026-5545", " * SECURITY UPDATE: wrong reuse of SMB connection", " - debian/patches/CVE-2026-5773.patch: disable connection reuse for", " SMB(S) in lib/smb.c.", " - CVE-2026-5773", " * SECURITY UPDATE: proxy credentials leak over redirect-to proxy", " - debian/patches/CVE-2026-6253-pre1.patch: chunked response, error code", " in lib/cf-h1-proxy.c, lib/cf-h2-proxy.c, tests/*.", " - debian/patches/CVE-2026-6253-pre2.patch: fix error code, remove SMB", " use in tests/data/test445.", " - debian/patches/CVE-2026-6253.patch: clear the proxy credentials as", " well on port or scheme change in lib/http.c, lib/transfer.*, tests/*.", " - CVE-2026-6253", " * SECURITY UPDATE: stale custom cookie host causes cookie leak", " - debian/patches/CVE-2026-6276.patch: move cookiehost to struct", " SingleRequest in lib/http.c, lib/request.c, lib/request.h, lib/url.c,", " lib/urldata.h, tests/*.", " - CVE-2026-6276", " * SECURITY UPDATE: netrc credential leak with reused proxy connection", " - debian/patches/CVE-2026-6429-pre1.patch: prevent secure schemes", " pushed over insecure connections in lib/http2.c.", " - debian/patches/CVE-2026-6429-pre2.patch: same origin tests in", " lib/http2.c, lib/urlapi-int.h, lib/urlapi.c.", " - debian/patches/CVE-2026-6429.patch: clear credentials better on", " redirect in lib/http.c, tests/*.", " - CVE-2026-6429", " * SECURITY UPDATE: cross-proxy Digest auth state leak", " - debian/patches/CVE-2026-7168.patch: clear proxy auth properties when", " switching in lib/setopt.c, lib/vauth/vauth.h, tests/*.", " - CVE-2026-7168", "" ], "package": "curl", "version": "8.18.0-1ubuntu2.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 29 Apr 2026 07:35:43 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libgnutls30t64", "from_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.12-2ubuntu1", "version": "3.8.12-2ubuntu1" }, "to_version": { "source_package_name": "gnutls28", "source_package_version": "3.8.12-2ubuntu1.1", "version": "3.8.12-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-33846", "url": "https://ubuntu.com/security/CVE-2026-33846", "cve_description": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.", "cve_priority": "medium", "cve_public_date": "2026-05-04 10:15:00 UTC" }, { "cve": "CVE-2026-42009", "url": "https://ubuntu.com/security/CVE-2026-42009", "cve_description": "The comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to undefined behaviour.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-33845", "url": "https://ubuntu.com/security/CVE-2026-33845", "cve_description": "A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3832", "url": "https://ubuntu.com/security/CVE-2026-3832", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3833", "url": "https://ubuntu.com/security/CVE-2026-3833", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-42011", "url": "https://ubuntu.com/security/CVE-2026-42011", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.", "cve_priority": "medium", "cve_public_date": "2026-05-07 15:16:00 UTC" }, { "cve": "CVE-2026-42010", "url": "https://ubuntu.com/security/CVE-2026-42010", "cve_description": "A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.", "cve_priority": "medium", "cve_public_date": "2026-05-07 12:16:00 UTC" }, { "cve": "CVE-2026-5260", "url": "https://ubuntu.com/security/CVE-2026-5260", "cve_description": "For a server using an RSA key backed by a PKCS#11 token, a client sending an extremely short premaster secret during an RSA key exchange could trigger a short heap overread.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42012", "url": "https://ubuntu.com/security/CVE-2026-42012", "cve_description": "Certificates containing URI or SRV Subject Alternative Names would fall back to checking DNS hostnames against Common Name, allowing potential misuse of such certificates beyond their original purpose.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42013", "url": "https://ubuntu.com/security/CVE-2026-42013", "cve_description": "Validation of certificates with oversized Subject Alternative Names would fall back to checking DNS hostnames against Common Name.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42014", "url": "https://ubuntu.com/security/CVE-2026-42014", "cve_description": "Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42015", "url": "https://ubuntu.com/security/CVE-2026-42015", "cve_description": "Appending to a PKCS#12 bag that already contained 32 elements could write past the bag's internal array.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-5419", "url": "https://ubuntu.com/security/CVE-2026-5419", "cve_description": "The PKCS#7 padding check performed during decryption was not constant-time, potentially leaking information about the padding bytes through timing differences.", "cve_priority": "medium", "cve_public_date": "2026-04-30" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-33846", "url": "https://ubuntu.com/security/CVE-2026-33846", "cve_description": "A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.", "cve_priority": "medium", "cve_public_date": "2026-05-04 10:15:00 UTC" }, { "cve": "CVE-2026-42009", "url": "https://ubuntu.com/security/CVE-2026-42009", "cve_description": "The comparator function used for ordering DTLS packets by sequence numbers did not follow qsort comparator contracts in case of packets with duplicate sequence numbers, which could lead to undefined behaviour.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-33845", "url": "https://ubuntu.com/security/CVE-2026-33845", "cve_description": "A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3832", "url": "https://ubuntu.com/security/CVE-2026-3832", "cve_description": "A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-3833", "url": "https://ubuntu.com/security/CVE-2026-3833", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.", "cve_priority": "medium", "cve_public_date": "2026-04-30 18:16:00 UTC" }, { "cve": "CVE-2026-42011", "url": "https://ubuntu.com/security/CVE-2026-42011", "cve_description": "A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.", "cve_priority": "medium", "cve_public_date": "2026-05-07 15:16:00 UTC" }, { "cve": "CVE-2026-42010", "url": "https://ubuntu.com/security/CVE-2026-42010", "cve_description": "A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.", "cve_priority": "medium", "cve_public_date": "2026-05-07 12:16:00 UTC" }, { "cve": "CVE-2026-5260", "url": "https://ubuntu.com/security/CVE-2026-5260", "cve_description": "For a server using an RSA key backed by a PKCS#11 token, a client sending an extremely short premaster secret during an RSA key exchange could trigger a short heap overread.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42012", "url": "https://ubuntu.com/security/CVE-2026-42012", "cve_description": "Certificates containing URI or SRV Subject Alternative Names would fall back to checking DNS hostnames against Common Name, allowing potential misuse of such certificates beyond their original purpose.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42013", "url": "https://ubuntu.com/security/CVE-2026-42013", "cve_description": "Validation of certificates with oversized Subject Alternative Names would fall back to checking DNS hostnames against Common Name.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42014", "url": "https://ubuntu.com/security/CVE-2026-42014", "cve_description": "Changing the Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token lacking a protected authentication path led to a use-after-free.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-42015", "url": "https://ubuntu.com/security/CVE-2026-42015", "cve_description": "Appending to a PKCS#12 bag that already contained 32 elements could write past the bag's internal array.", "cve_priority": "medium", "cve_public_date": "2026-04-30" }, { "cve": "CVE-2026-5419", "url": "https://ubuntu.com/security/CVE-2026-5419", "cve_description": "The PKCS#7 padding check performed during decryption was not constant-time, potentially leaking information about the padding bytes through timing differences.", "cve_priority": "medium", "cve_public_date": "2026-04-30" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow in DTLS handshake fragment reassembly", " - debian/patches/CVE-2026-33846-pre1.patch: buffers: shorten", " merge_handshake_packet using recv_buf in lib/buffers.c.", " - debian/patches/CVE-2026-33846.patch: buffers: add more checks to DTLS", " reassembly in lib/buffers.c.", " - CVE-2026-33846", " * SECURITY UPDATE: DTLS packets sequence number ordering issue", " - debian/patches/CVE-2026-42009-pre1.patch: buffers: match DTLS datagrams by", " sequence number in lib/buffers.c.", " - debian/patches/CVE-2026-42009-1.patch: lib/buffers: ensure packets have", " differing sequence numbers in lib/buffers.c.", " - debian/patches/CVE-2026-42009-2.patch: buffers: fix handshake_compare when", " sequence numbers match in lib/buffers.c.", " - CVE-2026-42009", " * SECURITY UPDATE: OOB read via malformed fragments with zero length and", " non-zero offset", " - debian/patches/CVE-2026-33845-pre1.patch: buffers: rename a variable in", " parse_handshake_header in lib/buffers.c.", " - debian/patches/CVE-2026-33845.patch: buffers: switch from end_offset over", " to frag_length in lib/buffers.c, lib/gnutls_int.h.", " - debian/patches/CVE-2026-33845-2.patch: buffers: simplify and tighten", " parse_handshake_header checks in lib/buffers.c.", " - CVE-2026-33845", " * SECURITY UPDATE: malformed OCSP response issue", " - debian/patches/CVE-2026-3832.patch: cert-session: fix multi-entry OCSP", " revocation bypass in lib/cert-session.c.", " - CVE-2026-3832", " * SECURITY UPDATE: policy bypass via x509 case-sensitive comparisons", " - debian/patches/CVE-2026-3833.patch: x509/name-constraints: compare domain", " names case-insensitive in lib/x509/name_constraints.c.", " - CVE-2026-3833", " * SECURITY UPDATE: permitted name constrains were incorrectly ignored", " - debian/patches/CVE-2026-42011.patch: x509/name_constraints: fix", " intersecting empty constraints in lib/x509/name_constraints.c.", " - CVE-2026-42011", " * SECURITY UPDATE: ", " - debian/patches/CVE-2026-42010.patch: lib/auth/rsa_psk: fix binary PSK", " identity lookup in lib/auth/rsa_psk.c.", " - CVE-2026-42010", " * SECURITY UPDATE: incorrect username parsing with NUL characters", " - debian/patches/CVE-2026-5260-1.patch: lib/auth/rsa: check that ciphertext", " matches the modulus size in lib/auth/rsa.c, lib/auth/rsa_psk.c.", " - debian/patches/CVE-2026-5260-2.patch: lib/pkcs11_privkey: guard against", " overreading on short ciphertexts in lib/pkcs11_privkey.c.", " - CVE-2026-5260", " * SECURITY UPDATE: ", " - debian/patches/CVE-2026-42012-pre1.patch: x509/hostname-verify: refactor", " and simplify CN fallback logic in lib/x509/hostname-verify.c.", " - debian/patches/CVE-2026-42012-pre2.patch: x509: add bare-bones awareness", " of SRV virtual SAN in lib/includes/gnutls/gnutls.h.in, lib/x509/common.h,", " lib/x509/name_constraints.c, lib/x509/output.c, lib/x509/virt-san.c,", " lib/x509/x509.c.", " - debian/patches/CVE-2026-42012.patch: x509/hostname-verify: make URI/SRV", " SAN preclude CN fallback in lib/x509/hostname-verify.c.", " - CVE-2026-42012", " * SECURITY UPDATE: incorrect URI or SRV Subject Alternative Names checking", " - debian/patches/CVE-2026-42013-pre1.patch: x509/email-verify: call", " fallback DN fallback in lib/x509/email-verify.c.", " - debian/patches/CVE-2026-42013.patch: x509: prevent fallback on oversized", " SAN in lib/x509/email-verify.c, lib/x509/hostname-verify.c.", " - CVE-2026-42013", " * SECURITY UPDATE: UaF when changing the Security Officer PIN", " - debian/patches/CVE-2026-42014.patch: pkcs11_write: fix UAF and leak in", " gnutls_pkcs11_token_set_pin in lib/pkcs11_write.c.", " - CVE-2026-42014", " * SECURITY UPDATE: buffer overflow when appending to a PKCS#12 bag", " - debian/patches/CVE-2026-42015.patch: x509/pkcs12_bag: fix off-by-one in", " bag element bounds check in lib/x509/pkcs12_bag.c.", " - CVE-2026-42015", " * SECURITY UPDATE: non constant-time PKCS#7 padding check", " - debian/patches/CVE-2026-5419.patch: gnutls_cipher_decrypt3: make PKCS#7", " unpadding branch free in lib/crypto-api.c, lib/libgnutls.map,", " tests/Makefile.am, tests/pkcs7-pad.c.", " - debian/patches/CVE-2026-5419-2.patch: _gnutls_pkcs7_unpad: add missing", " declaration in lib/crypto-api.c.", " - CVE-2026-5419", "" ], "package": "gnutls28", "version": "3.8.12-2ubuntu1.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 08 May 2026 10:11:31 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libjq1", "from_version": { "source_package_name": "jq", "source_package_version": "1.8.1-4ubuntu1", "version": "1.8.1-4ubuntu1" }, "to_version": { "source_package_name": "jq", "source_package_version": "1.8.1-4ubuntu2", "version": "1.8.1-4ubuntu2" }, "cves": [ { "cve": "CVE-2026-32316", "url": "https://ubuntu.com/security/CVE-2026-32316", "cve_description": "jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.", "cve_priority": "medium", "cve_public_date": "2026-04-13 18:16:00 UTC" }, { "cve": "CVE-2026-33947", "url": "https://ubuntu.com/security/CVE-2026-33947", "cve_description": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-33948", "url": "https://ubuntu.com/security/CVE-2026-33948", "cve_description": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" }, { "cve": "CVE-2026-39956", "url": "https://ubuntu.com/security/CVE-2026-39956", "cve_description": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-39979", "url": "https://ubuntu.com/security/CVE-2026-39979", "cve_description": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-40164", "url": "https://ubuntu.com/security/CVE-2026-40164", "cve_description": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-32316", "url": "https://ubuntu.com/security/CVE-2026-32316", "cve_description": "jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.", "cve_priority": "medium", "cve_public_date": "2026-04-13 18:16:00 UTC" }, { "cve": "CVE-2026-33947", "url": "https://ubuntu.com/security/CVE-2026-33947", "cve_description": "jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 22:16:00 UTC" }, { "cve": "CVE-2026-33948", "url": "https://ubuntu.com/security/CVE-2026-33948", "cve_description": "jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" }, { "cve": "CVE-2026-39956", "url": "https://ubuntu.com/security/CVE-2026-39956", "cve_description": "jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-39979", "url": "https://ubuntu.com/security/CVE-2026-39979", "cve_description": "jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.", "cve_priority": "medium", "cve_public_date": "2026-04-13 23:16:00 UTC" }, { "cve": "CVE-2026-40164", "url": "https://ubuntu.com/security/CVE-2026-40164", "cve_description": "jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.", "cve_priority": "medium", "cve_public_date": "2026-04-14 00:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Heap Buffer Overflow", " - debian/patches/CVE-2026-32316.patch: Fix heap buffer overflow in", " `jvp_string_append` and `jvp_string_copy_replace_bad`", " - CVE-2026-32316", " * SECURITY UPDATE: Stack Buffer Overflow", " - debian/patches/CVE-2026-33947.patch: Limit path depth to prevent", " stack overflow", " - CVE-2026-33947", " * SECURITY UPDATE: Improper Null Termination", " - debian/patches/CVE-2026-33948.patch: Fix NUL truncation in the", " JSON parser", " - CVE-2026-33948", " * SECURITY UPDATE: Out of Bounds Read", " - debian/patches/CVE-2026-39956.patch: Add runtime type checks to", " f_string_indexes", " - debian/patches/CVE-2026-39979.patch: Fix out-of-bounds read in", " jv_parse_sized()", " - CVE-2026-39956", " - CVE-2026-39979", " * SECURITY UPDATE: Denial of Service", " - debian/patches/CVE-2026-40164.patch: Randomize hash seed to", " mitigate hash collision DoS attacks", " - CVE-2026-40164", "" ], "package": "jq", "version": "1.8.1-4ubuntu2", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Bruce Cable ", "date": "Mon, 20 Apr 2026 17:13:52 +1000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnghttp2-14", "from_version": { "source_package_name": "nghttp2", "source_package_version": "1.68.0-2", "version": "1.68.0-2" }, "to_version": { "source_package_name": "nghttp2", "source_package_version": "1.68.0-2ubuntu0.1", "version": "1.68.0-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2026-27135", "url": "https://ubuntu.com/security/CVE-2026-27135", "cve_description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-18 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-27135", "url": "https://ubuntu.com/security/CVE-2026-27135", "cve_description": "nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.", "cve_priority": "medium", "cve_public_date": "2026-03-18 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of service through assertion failure.", " - debian/patches/CVE-2026-27135.patch: Add iframe->state ==", " NGHTTP2_IB_IGN_ALL checks in lib/nghttp2_session.c.", " - CVE-2026-27135", "" ], "package": "nghttp2", "version": "1.68.0-2ubuntu0.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Tue, 05 May 2026 15:08:54 -0230" } ], "notes": null, "is_version_downgrade": false }, { "name": "libntfs-3g89t64", "from_version": { "source_package_name": "ntfs-3g", "source_package_version": "1:2022.10.3-5build1", "version": "1:2022.10.3-5build1" }, "to_version": { "source_package_name": "ntfs-3g", "source_package_version": "1:2022.10.3-5ubuntu1", "version": "1:2022.10.3-5ubuntu1" }, "cves": [ { "cve": "CVE-2026-40706", "url": "https://ubuntu.com/security/CVE-2026-40706", "cve_description": "In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.", "cve_priority": "medium", "cve_public_date": "2026-04-21 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40706", "url": "https://ubuntu.com/security/CVE-2026-40706", "cve_description": "In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.", "cve_priority": "medium", "cve_public_date": "2026-04-21 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overflow in ntfs_build_permissions_posix()", " - debian/patches/CVE-2026-40706.patch: allocate space for the worst", " case number of ACE entries in libntfs-3g/acls.c.", " - CVE-2026-40706", "" ], "package": "ntfs-3g", "version": "1:2022.10.3-5ubuntu1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 17 Apr 2026 13:48:50 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpackagekit-glib2-18", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3", "version": "1.3.4-3" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1", "version": "1.3.4-3ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2148512 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY UPDATE: TOCTOU Race on Transaction Flags (LP: #2148512)", " - debian/patches/Do-not-allow-re-invoking-methods-on-non-new-txn.patch:", " do not allow re-invoking methods on non-new transactions in", " src/pk-transaction.c.", " - CVE number pending", "" ], "package": "packagekit", "version": "1.3.4-3ubuntu1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [ 2148512 ], "author": "Marc Deslauriers ", "date": "Mon, 20 Apr 2026 07:22:37 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-15.15", "" ], "package": "linux-meta", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:05:08 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-15.15", "" ], "package": "linux-meta", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:05:08 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-15.15", "" ], "package": "linux-meta", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:05:08 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-libc-dev", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-perf", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-common", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-15.15", "" ], "package": "linux-meta", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:05:08 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "motd-news-config", "from_version": { "source_package_name": "base-files", "source_package_version": "14ubuntu6", "version": "14ubuntu6" }, "to_version": { "source_package_name": "base-files", "source_package_version": "14ubuntu6.1", "version": "14ubuntu6.1" }, "cves": [], "launchpad_bugs_fixed": [ 2150561 ], "changes": [ { "cves": [], "log": [ "", " * /etc/os-release: Fix missing LTS in VERSION (LP: #2150561)", "" ], "package": "base-files", "version": "14ubuntu6.1", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2150561 ], "author": "Oliver Reiche ", "date": "Fri, 24 Apr 2026 11:24:55 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "ntfs-3g", "from_version": { "source_package_name": "ntfs-3g", "source_package_version": "1:2022.10.3-5build1", "version": "1:2022.10.3-5build1" }, "to_version": { "source_package_name": "ntfs-3g", "source_package_version": "1:2022.10.3-5ubuntu1", "version": "1:2022.10.3-5ubuntu1" }, "cves": [ { "cve": "CVE-2026-40706", "url": "https://ubuntu.com/security/CVE-2026-40706", "cve_description": "In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.", "cve_priority": "medium", "cve_public_date": "2026-04-21 22:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-40706", "url": "https://ubuntu.com/security/CVE-2026-40706", "cve_description": "In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.", "cve_priority": "medium", "cve_public_date": "2026-04-21 22:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overflow in ntfs_build_permissions_posix()", " - debian/patches/CVE-2026-40706.patch: allocate space for the worst", " case number of ACE entries in libntfs-3g/acls.c.", " - CVE-2026-40706", "" ], "package": "ntfs-3g", "version": "1:2022.10.3-5ubuntu1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 17 Apr 2026 13:48:50 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3", "version": "1:10.2p1-2ubuntu3" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3.2", "version": "1:10.2p1-2ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - debian/patches/CVE-2026-35386-2.patch: adapt to username validity", " check change in regress/percent.sh.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkeyfile.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu3.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:15:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3", "version": "1:10.2p1-2ubuntu3" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3.2", "version": "1:10.2p1-2ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - debian/patches/CVE-2026-35386-2.patch: adapt to username validity", " check change in regress/percent.sh.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkeyfile.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu3.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:15:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3", "version": "1:10.2p1-2ubuntu3" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.2p1-2ubuntu3.2", "version": "1:10.2p1-2ubuntu3.2" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - debian/patches/CVE-2026-35386-2.patch: adapt to username validity", " check change in regress/percent.sh.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkeyfile.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:10.2p1-2ubuntu3.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:15:40 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "packagekit", "from_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3", "version": "1.3.4-3" }, "to_version": { "source_package_name": "packagekit", "source_package_version": "1.3.4-3ubuntu1", "version": "1.3.4-3ubuntu1" }, "cves": [], "launchpad_bugs_fixed": [ 2148512 ], "changes": [ { "cves": [], "log": [ "", " * SECURITY UPDATE: TOCTOU Race on Transaction Flags (LP: #2148512)", " - debian/patches/Do-not-allow-re-invoking-methods-on-non-new-txn.patch:", " do not allow re-invoking methods on non-new transactions in", " src/pk-transaction.c.", " - CVE number pending", "" ], "package": "packagekit", "version": "1.3.4-3ubuntu1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [ 2148512 ], "author": "Marc Deslauriers ", "date": "Mon, 20 Apr 2026 07:22:37 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.16", "version": "1:26.04.16" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.18", "version": "1:26.04.18" }, "cves": [], "launchpad_bugs_fixed": [ 2147517, 2147101 ], "changes": [ { "cves": [], "log": [ "", " * test: make arm64 specific data where needed", " * test: only run test_arm64_ports_rewrite on arm64", " * Run pre-build.sh: updating mirrors.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.18", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Wed, 22 Apr 2026 13:29:32 -0400" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * DistUpgrade: do not call GLib.markup_escape_text with None (LP: #2147517)", " * Run pre-build.sh: updating mirrors.", "", " [ Utkarsh Gupta ]", " * DistUpgradeController: migrate arm64 sources from ports to archive on", " upgrade. (LP: #2147101)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.17", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147517, 2147101 ], "author": "Nick Rosbrook ", "date": "Tue, 21 Apr 2026 09:27:14 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "rsync", "from_version": { "source_package_name": "rsync", "source_package_version": "3.4.1+ds1-7", "version": "3.4.1+ds1-7" }, "to_version": { "source_package_name": "rsync", "source_package_version": "3.4.1+ds1-7ubuntu0.2", "version": "3.4.1+ds1-7ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-10158", "url": "https://ubuntu.com/security/CVE-2025-10158", "cve_description": "A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.", "cve_priority": "low", "cve_public_date": "2025-11-18 15:16:00 UTC" }, { "cve": "CVE-2026-29518", "url": "https://ubuntu.com/security/CVE-2026-29518", "cve_description": "An rsync daemon configured with \"use chroot = no\" is exposed to a time-of-check / time-of-use race on parent path components. A local attacker with write access to a module can replace a parent directory component with a symlink between the receiver's check and its open(), redirecting reads (basis-file disclosure) and writes (file overwrite) outside the module. Under elevated daemon privilege this allows privilege escalation. Default \"use chroot = yes\" is not exposed.", "cve_priority": "high", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-41035", "url": "https://ubuntu.com/security/CVE-2026-41035", "cve_description": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "cve_priority": "low", "cve_public_date": "2026-04-16 07:16:00 UTC" }, { "cve": "CVE-2026-43617", "url": "https://ubuntu.com/security/CVE-2026-43617", "cve_description": "On an rsync daemon configured with the global \"daemon chroot = /X\" rsyncd.conf setting, the reverse-DNS lookup of the connecting client was performed *after* the daemon had chrooted into /X. If /X did not contain the files glibc needs for resolution (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules), the lookup failed and the connecting hostname was set to \"UNKNOWN\". Hostname-based deny rules (\"hosts deny = *.evil.example\") therefore could not match, and an attacker controlling their PTR record could connect from a hostname the administrator had intended to deny. IP-based ACLs are unaffected. The per-module \"use chroot\" setting is unrelated to this issue.", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-43618", "url": "https://ubuntu.com/security/CVE-2026-43618", "cve_description": "The receiver's compressed-token decoder accumulated a 32-bit signed counter without overflow checking. A malicious sender can trigger an overflow that, with careful manipulation, leaks process memory contents to the attacker -- environment variables, passwords, heap and library pointers - -- significantly weakening ASLR and facilitating further exploitation.", "cve_priority": "high", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-43619", "url": "https://ubuntu.com/security/CVE-2026-43619", "cve_description": "Earlier fixes for symlink races on the receiver's open() call (CVE-2026-29518) missed the same race class on every other path-based system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, lstat. On rsync daemons with \"use chroot = no\" a local attacker with filesystem access on the daemon host can swap a symlink into a parent directory component between the receiver's check and one of these syscalls, redirecting it outside the exported module. The fix routes each affected path-based syscall through a parent dirfd opened under RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+, per-component O_NOFOLLOW walk elsewhere). Default \"use chroot = yes\" is not exposed.", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-43620", "url": "https://ubuntu.com/security/CVE-2026-43620", "cve_description": "The 2025 fix that added a parent_ndx<0 guard in send_files() was not applied to the visually-identical block in recv_files(). A malicious rsync server can drive any connecting client into a deterministic flist whose first sorted entry is not a leading \".\" directory (which causes recv_file_list() to set parent_ndx = -1), then sending a transfer record with ndx=0 and a non-ITEM_TRANSFER iflag word. The receiver reads dir_flist->files[-1] and dereferences the result. On glibc x86-64 the dereferenced pointer is mmap chunk metadata that lands at an unmapped address, hence a clean SEGV_MAPERR; non-glibc allocators have not been audited.", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-45232", "url": "https://ubuntu.com/security/CVE-2026-45232", "cve_description": "security issue", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-10158", "url": "https://ubuntu.com/security/CVE-2025-10158", "cve_description": "A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.", "cve_priority": "low", "cve_public_date": "2025-11-18 15:16:00 UTC" }, { "cve": "CVE-2026-29518", "url": "https://ubuntu.com/security/CVE-2026-29518", "cve_description": "An rsync daemon configured with \"use chroot = no\" is exposed to a time-of-check / time-of-use race on parent path components. A local attacker with write access to a module can replace a parent directory component with a symlink between the receiver's check and its open(), redirecting reads (basis-file disclosure) and writes (file overwrite) outside the module. Under elevated daemon privilege this allows privilege escalation. Default \"use chroot = yes\" is not exposed.", "cve_priority": "high", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-41035", "url": "https://ubuntu.com/security/CVE-2026-41035", "cve_description": "In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X (aka --xattrs). On Linux, many (but not all) common configurations are vulnerable. Non-Linux platforms are more widely vulnerable.", "cve_priority": "low", "cve_public_date": "2026-04-16 07:16:00 UTC" }, { "cve": "CVE-2026-43617", "url": "https://ubuntu.com/security/CVE-2026-43617", "cve_description": "On an rsync daemon configured with the global \"daemon chroot = /X\" rsyncd.conf setting, the reverse-DNS lookup of the connecting client was performed *after* the daemon had chrooted into /X. If /X did not contain the files glibc needs for resolution (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules), the lookup failed and the connecting hostname was set to \"UNKNOWN\". Hostname-based deny rules (\"hosts deny = *.evil.example\") therefore could not match, and an attacker controlling their PTR record could connect from a hostname the administrator had intended to deny. IP-based ACLs are unaffected. The per-module \"use chroot\" setting is unrelated to this issue.", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-43618", "url": "https://ubuntu.com/security/CVE-2026-43618", "cve_description": "The receiver's compressed-token decoder accumulated a 32-bit signed counter without overflow checking. A malicious sender can trigger an overflow that, with careful manipulation, leaks process memory contents to the attacker -- environment variables, passwords, heap and library pointers - -- significantly weakening ASLR and facilitating further exploitation.", "cve_priority": "high", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-43619", "url": "https://ubuntu.com/security/CVE-2026-43619", "cve_description": "Earlier fixes for symlink races on the receiver's open() call (CVE-2026-29518) missed the same race class on every other path-based system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, lstat. On rsync daemons with \"use chroot = no\" a local attacker with filesystem access on the daemon host can swap a symlink into a parent directory component between the receiver's check and one of these syscalls, redirecting it outside the exported module. The fix routes each affected path-based syscall through a parent dirfd opened under RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+, per-component O_NOFOLLOW walk elsewhere). Default \"use chroot = yes\" is not exposed.", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-43620", "url": "https://ubuntu.com/security/CVE-2026-43620", "cve_description": "The 2025 fix that added a parent_ndx<0 guard in send_files() was not applied to the visually-identical block in recv_files(). A malicious rsync server can drive any connecting client into a deterministic flist whose first sorted entry is not a leading \".\" directory (which causes recv_file_list() to set parent_ndx = -1), then sending a transfer record with ndx=0 and a non-ITEM_TRANSFER iflag word. The receiver reads dir_flist->files[-1] and dereferences the result. On glibc x86-64 the dereferenced pointer is mmap chunk metadata that lands at an unmapped address, hence a clean SEGV_MAPERR; non-glibc allocators have not been audited.", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" }, { "cve": "CVE-2026-45232", "url": "https://ubuntu.com/security/CVE-2026-45232", "cve_description": "security issue", "cve_priority": "medium", "cve_public_date": "2026-05-20 00:00:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: May 2026 security issues", " - debian/patches/security-202605/*.patch: commits to backport security", " fixes to 3.4.1.", " - d/p/CVE-2025-10158.patch: removed, included in patch cluster.", " - d/p/gcc_15.patch: removed, included in patch cluster.", " - d/p/fix-flaky-hardlinks-test.patch: removed, included in patch", " cluster.", " - CVE-2026-29518", " - CVE-2026-41035", " - CVE-2026-43617", " - CVE-2026-43618", " - CVE-2026-43619", " - CVE-2026-43620", " - CVE-2026-45232", "" ], "package": "rsync", "version": "3.4.1+ds1-7ubuntu0.2", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 14 May 2026 10:54:05 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "sed", "from_version": { "source_package_name": "sed", "source_package_version": "4.9-2build3", "version": "4.9-2build3" }, "to_version": { "source_package_name": "sed", "source_package_version": "4.9-2ubuntu1", "version": "4.9-2ubuntu1" }, "cves": [ { "cve": "CVE-2026-5958", "url": "https://ubuntu.com/security/CVE-2026-5958", "cve_description": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.", "cve_priority": "medium", "cve_public_date": "2026-04-20 12:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-5958", "url": "https://ubuntu.com/security/CVE-2026-5958", "cve_description": "When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path: 1. resolves symlink to its target and stores the resolved path for determining when output is written, 2. opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process. This issue was fixed in version 4.10.", "cve_priority": "medium", "cve_public_date": "2026-04-20 12:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: TOCTOU race in sed -i --follow-symlinks", " - debian/patches/CVE-2026-5958.patch: open the already-resolved path", " instead of re-traversing the symlink in sed/execute.c.", " - CVE-2026-5958", "" ], "package": "sed", "version": "4.9-2ubuntu1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 17 Apr 2026 13:58:43 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.16", "version": "1:26.04.16" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:26.04.18", "version": "1:26.04.18" }, "cves": [], "launchpad_bugs_fixed": [ 2147517, 2147101 ], "changes": [ { "cves": [], "log": [ "", " * test: make arm64 specific data where needed", " * test: only run test_arm64_ports_rewrite on arm64", " * Run pre-build.sh: updating mirrors.", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.18", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [], "author": "Nick Rosbrook ", "date": "Wed, 22 Apr 2026 13:29:32 -0400" }, { "cves": [], "log": [ "", " [ Nick Rosbrook ]", " * DistUpgrade: do not call GLib.markup_escape_text with None (LP: #2147517)", " * Run pre-build.sh: updating mirrors.", "", " [ Utkarsh Gupta ]", " * DistUpgradeController: migrate arm64 sources from ports to archive on", " upgrade. (LP: #2147101)", "" ], "package": "ubuntu-release-upgrader", "version": "1:26.04.17", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2147517, 2147101 ], "author": "Nick Rosbrook ", "date": "Tue, 21 Apr 2026 09:27:14 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.1", "version": "2:9.1.2141-1ubuntu4.1" }, "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path Traversal in zip.vim", " - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before", " writing in runtime/autoload/zip.vim", " - CVE-2026-35177", " * SECURITY UPDATE: Command Injection in netbeans", " - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg", " before passing to coloncmd in src/netbeans.c", " - CVE-2026-39881", " * SECURITY UPDATE: Command injection via backtick expansion in tag files", " - debian/patches/CVE-2026-41411.patch: Disallow backticks before attempting", " to expand filenames", " - CVE-2026-41411", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Federico Quattrin ", "date": "Wed, 06 May 2026 13:49:47 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-common", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.1", "version": "2:9.1.2141-1ubuntu4.1" }, "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path Traversal in zip.vim", " - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before", " writing in runtime/autoload/zip.vim", " - CVE-2026-35177", " * SECURITY UPDATE: Command Injection in netbeans", " - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg", " before passing to coloncmd in src/netbeans.c", " - CVE-2026-39881", " * SECURITY UPDATE: Command injection via backtick expansion in tag files", " - debian/patches/CVE-2026-41411.patch: Disallow backticks before attempting", " to expand filenames", " - CVE-2026-41411", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Federico Quattrin ", "date": "Wed, 06 May 2026 13:49:47 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-runtime", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.1", "version": "2:9.1.2141-1ubuntu4.1" }, "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path Traversal in zip.vim", " - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before", " writing in runtime/autoload/zip.vim", " - CVE-2026-35177", " * SECURITY UPDATE: Command Injection in netbeans", " - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg", " before passing to coloncmd in src/netbeans.c", " - CVE-2026-39881", " * SECURITY UPDATE: Command injection via backtick expansion in tag files", " - debian/patches/CVE-2026-41411.patch: Disallow backticks before attempting", " to expand filenames", " - CVE-2026-41411", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Federico Quattrin ", "date": "Wed, 06 May 2026 13:49:47 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "vim-tiny", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.1", "version": "2:9.1.2141-1ubuntu4.1" }, "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path Traversal in zip.vim", " - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before", " writing in runtime/autoload/zip.vim", " - CVE-2026-35177", " * SECURITY UPDATE: Command Injection in netbeans", " - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg", " before passing to coloncmd in src/netbeans.c", " - CVE-2026-39881", " * SECURITY UPDATE: Command injection via backtick expansion in tag files", " - debian/patches/CVE-2026-41411.patch: Disallow backticks before attempting", " to expand filenames", " - CVE-2026-41411", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Federico Quattrin ", "date": "Wed, 06 May 2026 13:49:47 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4", "version": "2:9.1.2141-1ubuntu4" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.2141-1ubuntu4.1", "version": "2:9.1.2141-1ubuntu4.1" }, "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" }, { "cve": "CVE-2026-41411", "url": "https://ubuntu.com/security/CVE-2026-41411", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user.", "cve_priority": "medium", "cve_public_date": "2026-04-24 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path Traversal in zip.vim", " - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before", " writing in runtime/autoload/zip.vim", " - CVE-2026-35177", " * SECURITY UPDATE: Command Injection in netbeans", " - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg", " before passing to coloncmd in src/netbeans.c", " - CVE-2026-39881", " * SECURITY UPDATE: Command injection via backtick expansion in tag files", " - debian/patches/CVE-2026-41411.patch: Disallow backticks before attempting", " to expand filenames", " - CVE-2026-41411", "" ], "package": "vim", "version": "2:9.1.2141-1ubuntu4.1", "urgency": "medium", "distributions": "resolute-security", "launchpad_bugs_fixed": [], "author": "Federico Quattrin ", "date": "Wed, 06 May 2026 13:49:47 -0300" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-7.0.0-15", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": "linux-headers-7.0.0-15 version '7.0.0-15.15' (source package linux version '7.0.0-15.15') was added. linux-headers-7.0.0-15 version '7.0.0-15.15' has the same source package name, linux, as removed package linux-headers-7.0.0-14. As such we can use the source package version of the removed package, '7.0.0-14.14', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-headers-7.0.0-15-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": "linux-headers-7.0.0-15-generic version '7.0.0-15.15' (source package linux version '7.0.0-15.15') was added. linux-headers-7.0.0-15-generic version '7.0.0-15.15' has the same source package name, linux, as removed package linux-headers-7.0.0-14. As such we can use the source package version of the removed package, '7.0.0-14.14', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-image-7.0.0-15-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-14.14", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-15.15", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:05:57 +0200" } ], "notes": "linux-image-7.0.0-15-generic version '7.0.0-15.15' (source package linux-signed version '7.0.0-15.15') was added. linux-image-7.0.0-15-generic version '7.0.0-15.15' has the same source package name, linux-signed, as removed package linux-image-7.0.0-14-generic. As such we can use the source package version of the removed package, '7.0.0-14.14', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-main-modules-zfs-7.0.0-15-generic", "from_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-14.14+3", "version": null }, "to_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-15.15+1", "version": "7.0.0-15.15+1" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 7.0.0-14.14", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "", " * Miscellaneous upstream changes", " - Cleanup d/package.config from LRM config options", " - lmm: cleanup and add copyright notice", " - lmm: Fix an issue for the in-series copy phase", " - lmm: Make off_series the default mechanism", " - lmm: Allow skipping specific DKMS for specific flavours at build time", " - lmm: move final artifacts from /ubuntu to /kernel", " - lmm: Fix DKMS build for chroot environments", " - lmm: Add synthetic dependency for LMM package, to stop early promotion", "" ], "package": "linux-main-signed", "version": "7.0.0-14.14", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Mon, 13 Apr 2026 11:36:59 +0200" }, { "cves": [], "log": [ "", " * Main version: 7.0.0-13.13", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", " - [Packaging] debian/dkms-versions -- update from kernel-versions", " (main/d2026.04.07)", "" ], "package": "linux-main-signed", "version": "7.0.0-13.13", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 1786013 ], "author": "Paolo Pisati ", "date": "Wed, 08 Apr 2026 06:59:33 +0200" } ], "notes": "linux-main-modules-zfs-7.0.0-15-generic version '7.0.0-15.15+1' (source package linux-main-signed version '7.0.0-15.15+1') was added. linux-main-modules-zfs-7.0.0-15-generic version '7.0.0-15.15+1' has the same source package name, linux-main-signed, as removed package linux-main-modules-zfs-7.0.0-14-generic. As such we can use the source package version of the removed package, '7.0.0-14.14+3', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-15-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": "linux-modules-7.0.0-15-generic version '7.0.0-15.15' (source package linux version '7.0.0-15.15') was added. linux-modules-7.0.0-15-generic version '7.0.0-15.15' has the same source package name, linux, as removed package linux-headers-7.0.0-14. As such we can use the source package version of the removed package, '7.0.0-14.14', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-15", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": "linux-tools-7.0.0-15 version '7.0.0-15.15' (source package linux version '7.0.0-15.15') was added. linux-tools-7.0.0-15 version '7.0.0-15.15' has the same source package name, linux, as removed package linux-headers-7.0.0-14. As such we can use the source package version of the removed package, '7.0.0-14.14', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-15-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "7.0.0-15.15", "version": "7.0.0-15.15" }, "cves": [], "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "changes": [ { "cves": [], "log": [ "", " * resolute/linux: 7.0.0-15.15 -proposed tracker (LP: #2148866)", "", " * Qualcomm X1E: Speaker overdrive causes hardware protection shutdown", " (LP: #2149808)", " - SAUCE: ASoC: qcom: x1e80100: limit speaker volumes", "", " * intel-ipu7 / intel-ipu7-isys modules are shipped unsigned in latest", " Resolute kernels, breaking Secure Boot systems (LP: #2148718)", " - [packaging] add intel-ipu7 to signature inclusion list", "" ], "package": "linux", "version": "7.0.0-15.15", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2148866, 2149808, 2148718 ], "author": "Paolo Pisati ", "date": "Wed, 22 Apr 2026 16:02:19 +0200" } ], "notes": "linux-tools-7.0.0-15-generic version '7.0.0-15.15' (source package linux version '7.0.0-15.15') was added. linux-tools-7.0.0-15-generic version '7.0.0-15.15' has the same source package name, linux, as removed package linux-headers-7.0.0-14. As such we can use the source package version of the removed package, '7.0.0-14.14', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-7.0.0-14", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-headers-7.0.0-14-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-7.0.0-14-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-main-modules-zfs-7.0.0-14-generic", "from_version": { "source_package_name": "linux-main-signed", "source_package_version": "7.0.0-14.14+3", "version": "7.0.0-14.14+3" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-7.0.0-14-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-14", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-tools-7.0.0-14-generic", "from_version": { "source_package_name": "linux", "source_package_version": "7.0.0-14.14", "version": "7.0.0-14.14" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 26.04 resolute image from release image serial 20260421 to 20260520", "from_series": "resolute", "to_series": "resolute", "from_serial": "20260421", "to_serial": "20260520", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }