File: //snap/core24/current/usr/share/doc/ChangeLog
29/08/2025, commit https://github.com/canonical/core-base/tree/3667c3306e20cafd7ee36075b3fb317f05fbec00
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (4):
.github/workflows/release-manual.yaml: remove scheduled builds
get-version.sh: filter by _$branch suffix when looking at tags
hooks/001-extra-packages.chroot: add back libtirpc3t64
snapcraft.yaml: move to 24.04.3 base
Valentin David (2):
spread.yaml: Sync google-nested-arm with snapd
static: copy udev disk rules from core-initrd
[ Changes in primed packages ]
base-files (built from base-files) updated from 13ubuntu10.2 to 13ubuntu10.3:
base-files (13ubuntu10.3) noble; urgency=medium
* /etc/issue{,.net}, /etc/{lsb,os}-release: bump version to 24.04.3
(LP: #2119314)
-- Ural Tunaboyu <ural.tunaboyu@canonical.com> Fri, 01 Aug 2025 07:21:11 -0700
cloud-init (built from cloud-init) updated from 25.1.2-0ubuntu0~24.04.1 to 25.1.4-0ubuntu0~24.04.1:
cloud-init (25.1.4-0ubuntu0~24.04.1) noble-security; urgency=medium
* Upstream snapshot based on 25.1.4.
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.4/ChangeLog
- Bugs fixed in this snapshot:
+ fix: disable cloud-init when non-x86 environments have no DMI-data
and no strict datasources detected (LP: #2069607) (CVE-2024-6174)
-- Chad Smith <chad.smith@canonical.com> Tue, 24 Jun 2025 15:14:03 -0600
cloud-init (25.1.3-0ubuntu0~24.04.1) noble-security; urgency=medium
* d/cloud-init-base.postinst: move existing hotplug-cmd fifo to root-only
share dir (CVE-2024-11584)
* Upstream security bugfix release based on 25.1.3.
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.3/ChangeLog
- Bugs fixed in this snapshot:
- security: make hotplug socket only writable by root (LP: #2114229)
(CVE-2024-11584)
- security: make ds-identify behavior strict datasource discovery on
non-x86 platforms without DMI data (LP: #2069607) (CVE-2024-6174)
-- Chad Smith <chad.smith@canonical.com> Thu, 12 Jun 2025 20:24:45 -0600
iproute2 (built from iproute2) updated from 6.1.0-1ubuntu6 to 6.1.0-1ubuntu6.2:
iproute2 (6.1.0-1ubuntu6.2) noble; urgency=medium
* Do not use stdout to print info about default fan map usage (LP: #2115790)
- d/p/1003-ubuntu-poc-fan-dynamic-map.patch
-- Stefan Bader <stefan.bader@canonical.com> Thu, 10 Jul 2025 16:46:54 +0200
iproute2 (6.1.0-1ubuntu6.1) noble; urgency=medium
* Expose IFLA_VXLAN_FAN_MAP version via sysctl/proc (LP: #2106115)
- d/p/1003-ubuntu-poc-fan-dynamic-map.patch
-- Stefan Bader <stefan.bader@canonical.com> Thu, 26 Jun 2025 16:35:31 +0200
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.7 to 3.12.3-1ubuntu0.8:
python3.12 (3.12.3-1ubuntu0.8) noble-security; urgency=medium
* SECURITY UPDATE: Regular expression denial of service.
- debian/patches/CVE-2025-6069.patch: Improve regex parsing in
Lib/html/parser.py.
- CVE-2025-6069
* SECURITY UPDATE: Infinite loop when parsing tar archives.
- debian/patches/CVE-2025-8194.patch: Raise exception when count < 0 in
Lib/tarfile.py.
- CVE-2025-8194
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Thu, 14 Aug 2025 15:17:21 -0230
29/07/2025, commit https://github.com/canonical/core-base/tree/e164b892c0535598c3712caa2ecdea0667dfdfc7
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (11):
snapcraft.yaml: set version from date tag if present
.github/workflows/release.yaml: add release job
.github/workflows/release.yaml: run rebuild base job each day
.github/workflows/tests.yaml: fix runners filtering
.github/workflows/release.yaml: fix typo
static/secureboot-db.service: check mode by looking at modeenv
static: check mode by looking at modeenv in several services
tests: prepare for installation from initramfs
.github/workflows: we do not need spread-arm anymore
.github/workflows: add manual release job, remove old release one
.github/workflows/release-manual: fix typo
Philip Meulengracht (1):
tools: aggregate old changelogs
[ Changes in primed packages ]
libc-bin, libc6:amd64, libc6:i386 (built from glibc) updated from 2.39-0ubuntu8.4 to 2.39-0ubuntu8.5:
glibc (2.39-0ubuntu8.5) noble-security; urgency=medium
* SECURITY UPDATE: insecure power10 strcmp implementation
- debian/patches/any/CVE-2025-5702.patch: remove power10 optimized
strcmp.
- CVE-2025-5702
* Moved other security patches to debian/patches/any.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 09 Jul 2025 12:47:47 -0400
gpgv (built from gnupg2) updated from 2.4.4-2ubuntu17.2 to 2.4.4-2ubuntu17.3:
gnupg2 (2.4.4-2ubuntu17.3) noble-security; urgency=medium
* debian/patches/fix-key-validity-regression-due-to-CVE-2025-
30258.patch:
- Fix a key validity regression following patches for CVE-2025-30258,
causing trusted "certify-only" primary keys to be ignored when checking
signature on user IDs and computing key validity. This regression makes
imported keys signed by a trusted "certify-only" key have an unknown
validity (LP: #2114775).
-- dcpi <dcpi@u22vm> Thu, 26 Jun 2025 13:17:22 +0000
gnutls-bin, libgnutls-dane0t64:amd64, libgnutls30t64:amd64 (built from gnutls28) updated from 3.8.3-1.1ubuntu3.3 to 3.8.3-1.1ubuntu3.4:
gnutls28 (3.8.3-1.1ubuntu3.4) noble-security; urgency=medium
* SECURITY UPDATE: double-free via otherName in the SAN
- debian/patches/CVE-2025-32988.patch: avoid double free when exporting
othernames in SAN in lib/x509/extensions.c.
- CVE-2025-32988
* SECURITY UPDATE: OOB read via malformed length field in SCT extension
- debian/patches/CVE-2025-32989.patch: fix read buffer overrun in SCT
timestamps in lib/x509/x509_ext.c.
- CVE-2025-32989
* SECURITY UPDATE: heap write overflow in certtool via invalid template
- debian/patches/CVE-2025-32990.patch: avoid 1-byte write buffer
overrun when parsing template in src/certtool-cfg.c,
tests/cert-tests/Makefile.am, tests/cert-tests/template-test.sh,
tests/cert-tests/templates/template-too-many-othernames.tmpl.
- CVE-2025-32990
* SECURITY UPDATE: NULL deref via missing PSK in TLS 1.3 handshake
- debian/patches/CVE-2025-6395.patch: clear HSK_PSK_SELECTED when
resetting binders in lib/handshake.c, lib/state.c, tests/Makefile.am,
tests/tls13/hello_retry_request_psk.c.
- CVE-2025-6395
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 11 Jul 2025 08:58:05 -0400
gzip (built from gzip) updated from 1.12-1ubuntu3 to 1.12-1ubuntu3.1:
gzip (1.12-1ubuntu3.1) noble; urgency=medium
* d/p/0001-maint-fix-s390-buffer-flushes.patch: align the behavior of
dfltcc_inflate to do the same as gzip_inflate when it hits a premature EOF
(LP: #2083700)
-- Andreas Hasenack <andreas@canonical.com> Mon, 27 Jan 2025 13:56:44 -0300
iputils-ping (built from iputils) updated from 3:20240117-1build1 to 3:20240117-1ubuntu0.1:
iputils (3:20240117-1ubuntu0.1) noble-security; urgency=medium
* SECURITY UPDATE: DoS via crafted ICMP Echo Reply packet
- debian/patches/CVE-2025-47268: fix signed 64-bit integer overflow in
RTT calculation in iputils_common.h, ping/ping_common.c.
- debian/patches/CVE-2025-48964.patch: fix moving average rtt
calculation in iputils_common.h, ping/ping.h, ping/ping_common.c.
- CVE-2025-47268
- CVE-2025-48964
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 24 Jul 2025 07:51:16 -0400
libpciaccess0:amd64 (built from libpciaccess) updated from 0.17-3build1 to 0.17-3ubuntu0.24.04.2:
libpciaccess (0.17-3ubuntu0.24.04.2) noble; urgency=medium
* Revert to 0.17-3build1 since the previous update appears to cause
inability to log in to the desktop on some systems (LP: #2115574)
-- Jeremy Bícha <jbicha@ubuntu.com> Mon, 30 Jun 2025 11:55:17 -0400
libpciaccess (0.17-3ubuntu0.24.04.1) noble; urgency=medium
* AMD platform A + N config selected wrong primary GPU in Xorg (LP: #2111684)
d/p/0001-linux_sysfs-Identify-boot_vga-by-acpi-companion-hid.patch
-- Kai-Chuan Hsieh <kaichuan.hsieh@canonical.com> Tue, 03 Jun 2025 17:23:44 +0800
libnetplan1:amd64, netplan-generator, netplan.io, python3-netplan (built from netplan.io) updated from 1.1.2-2~ubuntu24.04.1 to 1.1.2-2~ubuntu24.04.2:
netplan.io (1.1.2-2~ubuntu24.04.2) noble; urgency=medium
* Add integration tests for `netplan try`
- d/p/lp2083029/0007-tests-integration-netplan-try.patch
* Fix networkd file permissions during `netplan try` restore (LP: #2083029)
- d/p/lp2083029/0008-cli-ConfigManager-must-copy-file-ownership.patch
* Prevent netplan-generate from running during `netplan try` (LP: #2083029)
- d/p/lp2083029/0009-generate-Don-t-run-during-netplan-try.patch
-- Wesley Hershberger <wesley.hershberger@canonical.com> Thu, 17 Apr 2025 10:46:08 -0500
openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.12 to 1:9.6p1-3ubuntu13.13:
openssh (1:9.6p1-3ubuntu13.13) noble; urgency=medium
* Explicitly listen on IPv4 by default, with socket-activated sshd
(LP: #2080216)
- d/systemd/ssh.socket: explicitly listen on ipv4 by default
- d/t/sshd-socket-generator: update for new defaults and AddressFamily
- sshd-socket-generator: handle new ssh.socket default settings
-- Nick Rosbrook <enr0n@ubuntu.com> Mon, 09 Jun 2025 13:22:39 -0400
python3-urllib3 (built from python-urllib3) updated from 2.0.7-1ubuntu0.1 to 2.0.7-1ubuntu0.2:
python-urllib3 (2.0.7-1ubuntu0.2) noble-security; urgency=medium
* SECURITY UPDATE: Information disclosure through improperly disabled
redirects.
- debian/patches/CVE-2025-50181.patch: Add "retries" check and set retries
to Retry.from_int(retries, redirect=False) as well as set
raise_on_redirect in ./src/urllib3/poolmanager.py.
- CVE-2025-50181
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Mon, 23 Jun 2025 16:34:35 -0230
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.6 to 3.12.3-1ubuntu0.7:
python3.12 (3.12.3-1ubuntu0.7) noble-security; urgency=medium
* SECURITY UPDATE: Arbitrary filesystem and metadata write through improper
tar filtering.
- debian/patches/CVE-202x-12718-4138-4x3x-4517.patch: Add ALLOW_MISSING in
./Lib/genericpath.py, ./Lib/ntpath.py, ./Lib/posixpath.py. Change filter
to handle errors in ./Lib/ntpath.py, ./Lib/posixpath.py. Add checks and
unfiltered to ./Lib/tarfile.py. Modify tests.
- CVE-2024-12718
- CVE-2025-4138
- CVE-2025-4330
- CVE-2025-4435
- CVE-2025-4517
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Wed, 18 Jun 2025 15:29:45 -0230
libsqlite3-0:amd64 (built from sqlite3) updated from 3.45.1-1ubuntu2.3 to 3.45.1-1ubuntu2.4:
sqlite3 (3.45.1-1ubuntu2.4) noble-security; urgency=medium
* SECURITY UPDATE: Memory corruption via number of aggregate terms
- debian/patches/CVE-2025-6965.patch: raise an error right away if the
number of aggregate terms in a query exceeds the maximum number of
columns in src/expr.c, src/sqliteInt.h.
- CVE-2025-6965
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 18 Jul 2025 10:56:16 -0400
sudo (built from sudo) updated from 1.9.15p5-3ubuntu5 to 1.9.15p5-3ubuntu5.24.04.1:
sudo (1.9.15p5-3ubuntu5.24.04.1) noble-security; urgency=medium
* SECURITY UPDATE: Local Privilege Escalation via host option
- debian/patches/CVE-2025-32462.patch: only allow specifying a host
when listing privileges.
- CVE-2025-32462
* SECURITY UPDATE: Local Privilege Escalation via chroot option
- debian/patches/CVE-2025-32463.patch: remove user-selected root
directory chroot option.
- CVE-2025-32463
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jun 2025 08:42:53 -0400
libpam-systemd:amd64, libsystemd-shared:amd64, libsystemd0:amd64, libudev1:amd64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.8 to 255.4-1ubuntu8.10:
systemd (255.4-1ubuntu8.10) noble; urgency=medium
* Fix regression in networkctl caused by previous upload:
A regression was introduced due to an incorrect manager reference being passed to
manager_get_route_table_to_string() within route_append_json(), resulting in an
error when executing the `networkctl --json=pretty` command.
> networkctl --json=pretty
Failed to get description: Message recipient disconnected from message bus without replying
-- Chengen Du <chengen.du@canonical.com> Wed, 02 Jul 2025 10:04:32 -0400
systemd (255.4-1ubuntu8.9) noble; urgency=medium
* Preserve IPv6 configurations when `KeepConfiguration=dhcp-on-stop` is set
(LP: #2098183)
- d/p/lp2098183/0001-network-use-json_variant_append_arrayb.patch
- d/p/lp2098183/0002-json-add-new-dispatch-flag-JSON_ALLOW_EXTENSIONS.patch
- d/p/lp2098183/0003-json-add-macro-for-automatically-defining-a-dispatch.patch
- d/p/lp2098183/0004-json-introduce-json_dispatch_byte_array_iovec-and-js.patch
- d/p/lp2098183/0005-json-introduce-json_dispatch_int8-and-json_dispatch_.patch
- d/p/lp2098183/0006-json-extend-JsonDispatch-flags-with-nullable-and-ref.patch
- d/p/lp2098183/0007-json-util-generalize-json_dispatch_ifindex.patch
- d/p/lp2098183/0008-daemon-util-expose-notify_push_fd.patch
- d/p/lp2098183/0009-network-json-add-missing-entries-for-route-propertie.patch
- d/p/lp2098183/0010-network-introduce-network_config_source_from_string.patch
- d/p/lp2098183/0011-network-expose-log_route_debug-and-log_address_debug.patch
- d/p/lp2098183/0012-network-introduce-manager_serialize-deserialize.patch
- d/p/lp2098183/0013-network-keep-all-dynamically-acquired-configurations.patch
-- Chengen Du <chengen.du@canonical.com> Mon, 09 Jun 2025 13:44:06 -0400
bsdutils, fdisk, libblkid1:amd64, libfdisk1:amd64, libmount1:amd64, libsmartcols1:amd64, libuuid1:amd64, mount, rfkill, util-linux (built from util-linux) updated from 1:2.39.3-9ubuntu6.2 to 1:2.39.3-9ubuntu6.3:
18/06/2025, commit https://git.launchpad.net/snap-core24/tree/f9ca904d1e47c062780620e0060063d8a54646dd
[ Changes in the core24 snap ]
Alfonso Sánchez-Beato (1):
.github,tests: do not rebuild base for each test
[ Changes in primed packages ]
libapt-pkg6.0t64:amd64 (built from apt) updated from 2.7.14build2 to 2.8.3:
apt (2.8.3) noble; urgency=medium
* Revert increased key size requirements from 2.8.0-2.8.2 (LP: #2073126)
- Revert "Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment"
- Revert "Only warn about <rsa2048 when upgrading from 2.7.x to 2.8.x"
- Revert rsa1024 to warnings again
This leaves the mechanisms in place and no longer warns about NIST curves.
* Fix keeping back removals of obsolete packages; and return an error if
ResolveByKeep() is unsuccessful (LP: #2078720)
* Fix buffer overflow, stack overflow, exponential complexity in
apt-ftparchive Contents generation (LP: #2083697)
- ftparchive: Mystrdup: Add safety check and bump buffer size
- ftparchive: contents: Avoid exponential complexity and overflows
- test framework: Improve valgrind support
- test: Check that apt-ftparchive handles deep paths
- Workaround valgrind "invalid read" in ExtractTar::Go by moving large
buffer from stack to heap. The large buffer triggered some bugs in
valgrind stack clash protection handling.
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 22 Oct 2024 15:02:22 +0200
apt (2.8.2) noble; urgency=medium
* Only install 00-temporary-rsa1024 for >=2.7.6 and improve comment
(follow-up for LP: #2073126)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 13 Aug 2024 16:47:13 +0200
apt (2.8.1) noble; urgency=medium
* Only revoke weak RSA keys for now, add 'next' and 'future' levels
(backported from 2.9.7)
Note that the changes to warn about keys not matching the future level
in the --audit level are not fully included, as the --audit feature
has not yet been backported. (LP: #2073126)
* Introduce further mitigation on upgrades from 2.7.x to allow these
systems to continue using rsa1024 repositories with warnings
until the 24.04.2 point release (LP: #2073126)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 30 Jul 2024 17:12:00 +0900
apt (2.8.0) noble; urgency=medium
[ Julian Andres Klode ]
* Revert "Temporarily downgrade key assertions to "soon worthless""
We temporarily downgraded the errors to warnings to give the
launchpad PPAs time to be fixed, but warnings are not safe:
Untrusted keys could be hiding on your system, but just not
used at the moment. Hence revert this so we get the errors we
want. (LP: #2060721)
* Branch off the stable 2.8.y branch for noble:
- CI: Test in ubuntu:noble images for 2.8.y
- debian/gbp.conf: Point at the 2.8.y branch
[ David Kalnischkies ]
* Test suite fixes:
- Avoid subshell hiding failure report from testfilestats
- Ignore umask of leftover diff_Index in failed pdiff test
* Documentation translation fixes:
- Fix and unfuzzy previous VCG/Graphviz URI change
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 16 Apr 2024 16:59:14 +0200
cloud-init (built from cloud-init) updated from 24.4.1-0ubuntu0~24.04.3 to 25.1.2-0ubuntu0~24.04.1:
cloud-init (25.1.2-0ubuntu0~24.04.1) noble; urgency=medium
* Upstream snapshot based on 25.1.2. (LP: #2104165).
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.2/ChangeLog
-- James Falcon <james.falcon@canonical.com> Mon, 19 May 2025 15:00:58 -0500
cloud-init (25.1.1-0ubuntu1~24.04.1) noble; urgency=medium
* Drop cpicks which are now upstream:
- cpick-d75840be-fix-retry-AWS-hotplug-for-async-IMDS-5995
- cpick-84806336-chore-Add-feature-flag-for-manual-network-waiting
- d/p/cpick-c60771d8-test-pytestify-test_url_helper.py
- d/p/cpick-8810a2dc-test-Remove-CiTestCase-from-test_url_helper.py
- d/p/cpick-582f16c1-test-add-OauthUrlHelper-tests
- d/p/cpick-9311e066-fix-Update-OauthUrlHelper-to-use-readurl-exception_cb
* refresh patches
- d/p/deprecation-version-boundary.patch
- d/p/grub-dpkg-support.patch
- d/p/no-nocloud-network.patch
- d/p/no-single-process.patch
* sort hunks within all patches (--sort on quilt refresh)
* Upstream snapshot based on 25.1.1.
List of changes from upstream can be found at
https://raw.githubusercontent.com/canonical/cloud-init/25.1.1/ChangeLog
-- Chad Smith <chad.smith@canonical.com> Tue, 25 Mar 2025 11:02:28 -0600
libgssapi-krb5-2:amd64, libk5crypto3:amd64, libkrb5-3:amd64, libkrb5support0:amd64 (built from krb5) updated from 1.20.1-6ubuntu2.5 to 1.20.1-6ubuntu2.6:
krb5 (1.20.1-6ubuntu2.6) noble-security; urgency=medium
* SECURITY UPDATE: Use of weak cryptographic hash.
- debian/patches/CVE-2025-3576.patch: Add allow_des3 and allow_rc4 options.
Disallow usage of des3 and rc4 unless allowed in the config. Replace
warn_des3 with warn_deprecated in ./src/lib/krb5/krb/get_in_tkt.c. Add
allow_des3 and allow_rc4 boolean in ./src/include/k5-int.h. Prevent usage
of deprecated enctypes in ./src/kdc/kdc_util.c.
- debian/patches/CVE-2025-3576-post1.patch: Add enctype comparison with
ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ./src/kdc/kdc_util.c.
- CVE-2025-3576
-- Hlib Korzhynskyy <hlib.korzhynskyy@canonical.com> Thu, 15 May 2025 10:09:20 +0200
openssh-client, openssh-server, openssh-sftp-server (built from openssh) updated from 1:9.6p1-3ubuntu13.11 to 1:9.6p1-3ubuntu13.12:
openssh (1:9.6p1-3ubuntu13.12) noble; urgency=medium
* d/p/sshd-socket-generator.patch: add note to sshd_config
Explain that a systemctl daemon-reload is needed for changes
to Port et al to take effect.
(LP: #2069041)
-- Nick Rosbrook <enr0n@ubuntu.com> Tue, 29 Apr 2025 10:57:04 -0400
libpam-modules-bin, libpam-modules:amd64, libpam-runtime, libpam0g:amd64 (built from pam) updated from 1.5.3-5ubuntu5.1 to 1.5.3-5ubuntu5.4:
pam (1.5.3-5ubuntu5.4) noble-security; urgency=medium
* SECURITY UPDATE: privilege escalation via pam_namespace
- debian/patches/pam_namespace_170.patch: sync pam_namespace module to
version 1.7.0.
- debian/patches/pam_namespace_post170-*.patch: add post-1.7.0 changes
from upstream git tree.
- debian/patches/pam_namespace_revert_abi.patch: revert ABI change to
prevent unintended issues in running daemons.
- debian/patches/CVE-2025-6020-1.patch: fix potential privilege
escalation.
- debian/patches/CVE-2025-6020-2.patch: add flags to indicate path
safety.
- debian/patches/CVE-2025-6020-3.patch: secure_opendir: do not look at
the group ownership.
- debian/patches/pam_namespace_o_directory.patch: removed, included in
patch cluster above.
- CVE-2025-6020
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 12 Jun 2025 10:45:28 -0400
pam (1.5.3-5ubuntu5.2) noble; urgency=medium
* d/p/031_pam_include: fix loading from /usr/lib/pam.d (LP: #2087827)
-- Simon Chopin <schopin@ubuntu.com> Mon, 26 May 2025 16:34:46 +0200
libpython3.12-minimal:amd64, libpython3.12-stdlib:amd64, python3.12, python3.12-minimal (built from python3.12) updated from 3.12.3-1ubuntu0.5 to 3.12.3-1ubuntu0.6:
python3.12 (3.12.3-1ubuntu0.6) noble-security; urgency=medium
* SECURITY UPDATE: incorrect address list folding
- debian/patches/CVE-2025-1795-2.patch: fix AttributeError in the email
module in Lib/email/_header_value_parser.py,
Lib/test/test_email/test__header_value_parser.py.
- CVE-2025-1795
* SECURITY UPDATE: DoS via bytes.decode with unicode_escape
- debian/patches/CVE-2025-4516.patch: fix use-after-free in the
unicode-escape decoder with an error handler in
Include/cpython/bytesobject.h, Include/cpython/unicodeobject.h,
Lib/test/test_codeccallbacks.py, Lib/test/test_codecs.py,
Objects/bytesobject.c, Objects/unicodeobject.c,
Parser/string_parser.c.
- CVE-2025-4516
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 26 May 2025 14:50:19 -0400
python3-requests (built from requests) updated from 2.31.0+dfsg-1ubuntu1 to 2.31.0+dfsg-1ubuntu1.1:
requests (2.31.0+dfsg-1ubuntu1.1) noble-security; urgency=medium
* SECURITY UPDATE: Information Leak
- debian/patches/CVE-2024-47081.patch: Only use hostname to do netrc
lookup instead of netloc
- CVE-2024-47081
* Skip Test
- skip-failing-zip-test.patch: Skip failing zip test
-- Bruce Cable <bruce.cable@canonical.com> Thu, 12 Jun 2025 11:19:32 +1000
python3-pkg-resources (built from setuptools) updated from 68.1.2-2ubuntu1.1 to 68.1.2-2ubuntu1.2:
setuptools (68.1.2-2ubuntu1.2) noble-security; urgency=medium
* SECURITY UPDATE: path traversal vulnerability
- debian/patches/CVE-2025-47273-pre1.patch: Extract
_resolve_download_filename with test.
- debian/patches/CVE-2025-47273.patch: Add a check to ensure the name
resolves relative to the tmpdir.
- CVE-2025-47273
-- Fabian Toepfer <fabian.toepfer@canonical.com> Wed, 28 May 2025 19:00:32 +0200
libpam-systemd:amd64, libsystemd-shared:amd64, libsystemd0:amd64, libudev1:amd64, systemd, systemd-coredump, systemd-dev, systemd-resolved, systemd-sysv, systemd-timesyncd, udev (built from systemd) updated from 255.4-1ubuntu8.6 to 255.4-1ubuntu8.8:
systemd (255.4-1ubuntu8.8) noble-security; urgency=medium
* SECURITY UPDATE: race condition in systemd-coredump
- debian/patches/CVE_2025_4598_1.patch: coredump: get rid of
_META_MANDATORY_MAX.
- debian/patches/CVE_2025_4598_2.patch: coredump: use %d in kernel core
pattern.
- debian/patches/CVE_2025_4598_3.patch: coredump: also stop forwarding
non-dumpable processes.
- debian/patches/CVE_2025_4598_4.patch: coredump: get rid of a bogus
assertion.
- CVE-2025-4598
* this update does not include the changes from 255.4-1ubuntu8.7 as included in noble-proposed
-- Octavio Galland <octavio.galland@canonical.com> Wed, 04 Jun 2025 09:24:15 -0300
tzdata (built from tzdata) updated from 2025b-0ubuntu0.24.04 to 2025b-0ubuntu0.24.04.1:
tzdata (2025b-0ubuntu0.24.04.1) noble; urgency=medium
* Update the ICU timezone data to 2025b (LP: #2107950)
* Add autopkgtest test case for ICU timezone data 2025b
-- Benjamin Drung <bdrung@ubuntu.com> Tue, 22 Apr 2025 12:11:08 +0200