UbuntuUpdates.org

Release natty does not exist.

Latest Changelogs for all releases

All releases Bionic Focal Jammy Lunar Mantic Noble Precise Trusty Xenial
Include all PPAs Exclude daily builds PPAs Exclude all PPAs
Include levels: securityupdatesbackportsproposedbase

Note: Only updates for "head" packages where the changelog is available are shown on this page (view all).

less Apr 29th 13:07
Release: noble Repo: main Level: updates New version: 590-2ubuntu2.1
Packages in group: 

  less (590-2ubuntu2.1) noble-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command execution
    - debian/patches/CVE-2024-32487.patch: Fix bug when viewing a file
      whose name contains a newline.
    - CVE-2024-32487

 -- Fabian Toepfer <email address hidden> Sun, 28 Apr 2024 13:44:40 +0200
CVE-2024-32487 less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation

libvirt Apr 29th 13:07
Release: noble Repo: main Level: security New version: 10.0.0-2ubuntu8.1
Packages in group:  libvirt0 libvirt-clients libvirt-daemon libvirt-daemon-config-network libvirt-daemon-config-nwfilter libvirt-daemon-driver-qemu libvirt-daemon-system libvirt-daemon-system-systemd libvirt-doc libvirt-l10n

  libvirt (10.0.0-2ubuntu8.1) noble-security; urgency=medium

  * SECURITY UPDATE: off-by-one in udevListInterfacesByStatus()
    - debian/patches/CVE-2024-1441.patch: properly check count in
      src/interface/interface_backend_udev.c.
    - CVE-2024-1441
  * SECURITY UPDATE: crash in RPC library
    - debian/patches/CVE-2024-2494.patch: check values in
      src/remote/remote_daemon_dispatch.c, src/rpc/gendispatch.pl.
    - CVE-2024-2494

 -- Marc Deslauriers <email address hidden> Thu, 18 Apr 2024 11:42:32 -0400
CVE-2024-1441 An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `nam
CVE-2024-2494 A flaw was found in the RPC library APIs of libvirt. The RPC server deserialization code allocates memory for arrays before the non-negative length c

gnutls28 Apr 29th 13:07
Release: noble Repo: main Level: security New version: 3.8.3-1.1ubuntu3.1
Packages in group:  gnutls-doc libgnutls28-dev libgnutls30t64 libgnutls-dane0t64 libgnutls-openssl27t64

  gnutls28 (3.8.3-1.1ubuntu3.1) noble-security; urgency=medium

  * SECURITY UPDATE: side-channel leak via Minerva attack
    - debian/patches/CVE-2024-28834.patch: avoid normalization of mpz_t in
      deterministic ECDSA in lib/nettle/int/dsa-compute-k.c,
      lib/nettle/int/dsa-compute-k.h, lib/nettle/int/ecdsa-compute-k.c,
      lib/nettle/int/ecdsa-compute-k.h, lib/nettle/pk.c,
      tests/sign-verify-deterministic.c.
    - CVE-2024-28834
  * SECURITY UPDATE: crash via specially-crafted cert bundle
    - debian/patches/CVE-2024-28835.patch: remove length limit of input in
      lib/gnutls_int.h, lib/x509/common.c, lib/x509/verify-high.c,
      tests/test-chains.h.
    - CVE-2024-28835

 -- Marc Deslauriers <email address hidden> Thu, 18 Apr 2024 09:54:34 -0400
CVE-2024-28834 A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading
CVE-2024-28835 A flaw has been discovered in GnuTLS where an application crash can be induced when attempting to verify a specially crafted .pem bundle using the "c

glibc Apr 29th 13:07
Release: noble Repo: main Level: security New version: 2.39-0ubuntu8.1
Packages in group:  glibc-doc libc6 libc6-dbg libc6-dev libc6-dev-i386 libc6-dev-x32 libc6-i386 libc6-x32 libc-bin libc-dev-bin libc-devtools (... see all)

  glibc (2.39-0ubuntu8.1) noble-security; urgency=medium

  * SECURITY UPDATE: OOB write in iconv plugin ISO-2022-CN-EXT
    - debian/patches/any/CVE-2024-2961.patch: fix out-of-bound writes when
      writing escape sequence in iconvdata/Makefile,
      iconvdata/iso-2022-cn-ext.c, iconvdata/tst-iconv-iso-2022-cn-ext.c.
    - CVE-2024-2961

 -- Marc Deslauriers <email address hidden> Thu, 18 Apr 2024 09:52:32 -0400
CVE-2024-2961 The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting string

curl Apr 29th 13:07
Release: noble Repo: main Level: security New version: 8.5.0-2ubuntu10.1
Packages in group:  libcurl3t64-gnutls libcurl4-doc libcurl4-gnutls-dev libcurl4-openssl-dev libcurl4t64

  curl (8.5.0-2ubuntu10.1) noble-security; urgency=medium

  * SECURITY UPDATE: Usage of disabled protocol
    - debian/patches/CVE-2024-2004-pre1.patch: test1474: removed.
    - debian/patches/CVE-2024-2004.patch: fix disabling all protocols in
      lib/setopt.c, tests/data/Makefile.inc, tests/data/test1474.
    - CVE-2024-2004
  * SECURITY UPDATE: HTTP/2 push headers memory-leak
    - debian/patches/CVE-2024-2398.patch: push headers better cleanup in
      lib/http2.c.
    - CVE-2024-2398

 -- Marc Deslauriers <email address hidden> Mon, 22 Apr 2024 12:00:57 -0400
CVE-2024-2004 Usage of disabled protocol
CVE-2024-2398 HTTP/2 push headers memory-leak

apache2 Apr 29th 13:07
Release: noble Repo: main Level: security New version: 2.4.58-1ubuntu8.1
Packages in group:  apache2-bin apache2-data apache2-dev apache2-doc apache2-ssl-dev apache2-utils

  apache2 (2.4.58-1ubuntu8.1) noble-security; urgency=medium

  * SECURITY UPDATE: HTTP response splitting
    - debian/patches/CVE-2023-38709.patch: header validation after
      content-* are eval'ed in modules/http/http_filters.c.
    - CVE-2023-38709
  * SECURITY UPDATE: HTTP Response Splitting in multiple modules
    - debian/patches/CVE-2024-24795.patch: let httpd handle CL/TE for
      non-http handlers in include/util_script.h,
      modules/aaa/mod_authnz_fcgi.c, modules/generators/mod_cgi.c,
      modules/generators/mod_cgid.c, modules/http/http_filters.c,
      modules/proxy/ajp_header.c, modules/proxy/mod_proxy_fcgi.c,
      modules/proxy/mod_proxy_scgi.c, modules/proxy/mod_proxy_uwsgi.c.
    - CVE-2024-24795
  * SECURITY UPDATE: HTTP/2 DoS by memory exhaustion on endless
    continuation frames
    - debian/patches/CVE-2024-27316.patch: bail after too many failed reads
      in modules/http2/h2_session.c, modules/http2/h2_stream.c,
      modules/http2/h2_stream.h.
    - CVE-2024-27316

 -- Marc Deslauriers <email address hidden> Thu, 18 Apr 2024 11:13:41 -0400
CVE-2023-38709 Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects
CVE-2024-24795 HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applicat
CVE-2024-27316 HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client do

cpio Apr 29th 13:07
Release: mantic Repo: universe Level: updates New version: 2.13+dfsg-7.1ubuntu0.1
Packages in group:  cpio-win32

  cpio (2.13+dfsg-7.1ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Path traversal vulnerability
    - debian/patches/CVE-2023-7207.patch: Create symlink placeholder
      if --no-absolute-filenames was given and replace placeholders
      after extraction.
    - debian/patches/revert-CVE-2015-1197-handling.patch: Removed.
    - CVE-2023-7207

 -- Fabian Toepfer <email address hidden> Sun, 28 Apr 2024 14:32:00 +0200
CVE-2023-7207 Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in
CVE-2015-1197 cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive

cpio Apr 29th 13:07
Release: mantic Repo: main Level: updates New version: 2.13+dfsg-7.1ubuntu0.1
Packages in group: 

  cpio (2.13+dfsg-7.1ubuntu0.1) mantic-security; urgency=medium

  * SECURITY UPDATE: Path traversal vulnerability
    - debian/patches/CVE-2023-7207.patch: Create symlink placeholder
      if --no-absolute-filenames was given and replace placeholders
      after extraction.
    - debian/patches/revert-CVE-2015-1197-handling.patch: Removed.
    - CVE-2023-7207

 -- Fabian Toepfer <email address hidden> Sun, 28 Apr 2024 14:32:00 +0200
CVE-2023-7207 Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in
CVE-2015-1197 cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive

less Apr 29th 13:07
Release: mantic Repo: main Level: updates New version: 590-2ubuntu0.23.10.2
Packages in group: 

  less (590-2ubuntu0.23.10.2) mantic-security; urgency=medium

  * SECURITY UPDATE: Arbitrary command execution
    - debian/patches/CVE-2024-32487.patch: Fix bug when viewing a file
      whose name contains a newline.
    - CVE-2024-32487

 -- Fabian Toepfer <email address hidden> Sat, 27 Apr 2024 22:24:28 +0200
CVE-2024-32487 less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation

cpio Apr 29th 13:07
Release: jammy Repo: universe Level: updates New version: 2.13+dfsg-7ubuntu0.1
Packages in group:  cpio-win32

  cpio (2.13+dfsg-7ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Path traversal vulnerability
    - debian/patches/CVE-2023-7207.patch: Create symlink placeholder
      if --no-absolute-filenames was given and replace placeholders
      after extraction.
    - debian/patches/revert-CVE-2015-1197-handling.patch: Removed.
    - CVE-2023-7207

 -- Fabian Toepfer <email address hidden> Sun, 28 Apr 2024 14:30:36 +0200
CVE-2023-7207 Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in
CVE-2015-1197 cpio 2.11, when using the --no-absolute-filenames option, allows local users to write to arbitrary files via a symlink attack on a file in an archive

linux-restricted-signatures-oem-6.5 Apr 29th 13:07
Release: jammy Repo: restricted Level: proposed New version: 6.5.0-1022.23
Packages in group:  linux-modules-nvidia-525-open-6.5.0-1011-oem linux-modules-nvidia-525-open-6.5.0-1014-oem linux-modules-nvidia-525-open-6.5.0-1016-oem linux-modules-nvidia-535-open-6.5.0-1002-oem linux-modules-nvidia-535-open-6.5.0-1003-oem linux-modules-nvidia-535-open-6.5.0-1004-oem linux-modules-nvidia-535-open-6.5.0-1005-oem linux-modules-nvidia-535-open-6.5.0-1006-oem linux-modules-nvidia-535-open-6.5.0-1009-oem linux-modules-nvidia-535-open-6.5.0-1010-oem linux-modules-nvidia-535-open-6.5.0-1011-oem (... see all)

  linux-restricted-signatures-oem-6.5 (6.5.0-1022.23) jammy; urgency=medium

  * Main version: 6.5.0-1022.23

  * Miscellaneous Ubuntu changes
    - debian/tracking-bug -- update from main

 -- Timo Aaltonen <email address hidden> Thu, 25 Apr 2024 14:24:06 +0300

linux-restricted-modules-oem-6.5 Apr 29th 13:07
Release: jammy Repo: restricted Level: proposed New version: 6.5.0-1022.23
Packages in group:  linux-modules-nvidia-435-oem-22.04 linux-modules-nvidia-435-oem-22.04d linux-modules-nvidia-440-oem-22.04 linux-modules-nvidia-440-oem-22.04d linux-modules-nvidia-450-oem-22.04 linux-modules-nvidia-450-oem-22.04d linux-modules-nvidia-455-oem-22.04 linux-modules-nvidia-455-oem-22.04d linux-modules-nvidia-460-oem-22.04 linux-modules-nvidia-460-oem-22.04d linux-modules-nvidia-465-oem-22.04 (... see all)

  linux-restricted-modules-oem-6.5 (6.5.0-1022.23) jammy; urgency=medium

  * Main version: 6.5.0-1022.23

  * Miscellaneous Ubuntu changes
    - debian/tracking-bug -- update from main

 -- Timo Aaltonen <email address hidden> Thu, 25 Apr 2024 14:24:06 +0300

linux-signed-oem-6.5 Apr 29th 13:06
Release: jammy Repo: main Level: proposed New version: 6.5.0-1022.23
Packages in group:  linux-image-6.5.0-1002-oem linux-image-6.5.0-1003-oem linux-image-6.5.0-1004-oem linux-image-6.5.0-1005-oem linux-image-6.5.0-1006-oem linux-image-6.5.0-1009-oem linux-image-6.5.0-1010-oem linux-image-6.5.0-1011-oem linux-image-6.5.0-1014-oem linux-image-6.5.0-1016-oem linux-image-6.5.0-1019-oem (... see all)

  linux-signed-oem-6.5 (6.5.0-1022.23) jammy; urgency=medium

  * Main version: 6.5.0-1022.23

  * Miscellaneous Ubuntu changes
    - debian/tracking-bug -- update from main

 -- Timo Aaltonen <email address hidden> Thu, 25 Apr 2024 14:24:02 +0300

linux-meta-oem-6.5 Apr 29th 13:06
Release: jammy Repo: main Level: proposed New version: 6.5.0.1022.24
Packages in group:  linux-headers-oem-22.04 linux-headers-oem-22.04a linux-headers-oem-22.04b linux-headers-oem-22.04c linux-headers-oem-22.04d linux-image-oem-22.04 linux-image-oem-22.04a linux-image-oem-22.04b linux-image-oem-22.04c linux-image-oem-22.04d linux-image-uc-oem-22.04 (... see all)

  linux-meta-oem-6.5 (6.5.0.1022.24) jammy; urgency=medium

  * Bump ABI 6.5.0-1022

 -- Timo Aaltonen <email address hidden> Thu, 25 Apr 2024 14:23:58 +0300

linux-oem-6.5 Apr 29th 13:06
Release: jammy Repo: main Level: proposed New version: 6.5.0-1022.23
Packages in group:  linux-buildinfo-6.5.0-1002-oem linux-buildinfo-6.5.0-1003-oem linux-buildinfo-6.5.0-1004-oem linux-buildinfo-6.5.0-1005-oem linux-buildinfo-6.5.0-1006-oem linux-buildinfo-6.5.0-1009-oem linux-buildinfo-6.5.0-1010-oem linux-buildinfo-6.5.0-1011-oem linux-buildinfo-6.5.0-1014-oem linux-buildinfo-6.5.0-1016-oem linux-buildinfo-6.5.0-1019-oem (... see all)

  linux-oem-6.5 (6.5.0-1022.23) jammy; urgency=medium

  * jammy/linux-oem-6.5: 6.5.0-1022.23 -proposed tracker (LP: #2063441)

  * The keyboard does not work after latest kernel update (LP: #2060727)
    - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID
    - Input: atkbd - do not skip atkbd_deactivate() when skipping ATKBD_CMD_GETID

  * Fix random HuC/GuC initialization failure of Intel i915 driver
    (LP: #2061049)
    - drm/i915/guc: Dump perf_limit_reasons for debug
    - drm/i915/huc: Allow for very slow HuC loading

  * Fix acpi_power_meter accessing IPMI region before it's ready (LP: #2059263)
    - ACPI: IPMI: Add helper to wait for when SMI is selected
    - hwmon: (acpi_power_meter) Ensure IPMI space handler is ready on Dell systems

 -- Timo Aaltonen <email address hidden> Thu, 25 Apr 2024 14:15:27 +0300
2060727 The keyboard does not work after latest kernel update
2059263 Fix acpi_power_meter accessing IPMI region before it's ready


About   -   Send Feedback to @ubuntu_updates