{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-187", "linux-headers-5.4.0-187-generic", "linux-image-5.4.0-187-generic", "linux-modules-5.4.0-187-generic" ], "removed": [ "linux-headers-5.4.0-186", "linux-headers-5.4.0-186-generic", "linux-image-5.4.0-186-generic", "linux-modules-5.4.0-186-generic" ], "diff": [ "cloud-init", "git", "git-man", "libnetplan0", "linux-headers-generic", "linux-headers-virtual", "linux-image-virtual", "linux-virtual", "netplan.io", "snapd", "wget" ] } }, "diff": { "deb": [ { "name": "cloud-init", "from_version": { "source_package_name": "cloud-init", "source_package_version": "24.1.3-0ubuntu1~20.04.4", "version": "24.1.3-0ubuntu1~20.04.4" }, "to_version": { "source_package_name": "cloud-init", "source_package_version": "24.1.3-0ubuntu1~20.04.5", "version": "24.1.3-0ubuntu1~20.04.5" }, "cves": [], "launchpad_bugs_fixed": [ 2066979, 2066985, 2066985 ], "changes": [ { "cves": [], "log": [ "", " * Upstream bug fix release based on 24.1.7", " + functional fixes in debian/patches:", " - cpick-417ee551: fix(ec2): Ensure metadata exists before configuring PBR.", " (LP: #2066979)", " - cpick-d6776632: fix: Check renderer for netplan-specific code (#5321)", " (LP: #2066985)", " - cpick d771d1f4: fix(ec2): Correctly identify netplan renderer (#5361)", " (LP: #2066985)", " + test fixes in debian/patches:", " - cpick-74dc7cce: test: Fix failing test_ec2.py test (#5324)", "" ], "package": "cloud-init", "version": "24.1.3-0ubuntu1~20.04.5", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2066979, 2066985, 2066985 ], "author": "James Falcon ", "date": "Wed, 05 Jun 2024 12:40:38 -0500" } ], "notes": null }, { "name": "git", "from_version": { "source_package_name": "git", "source_package_version": "1:2.25.1-1ubuntu3.12", "version": "1:2.25.1-1ubuntu3.12" }, "to_version": { "source_package_name": "git", "source_package_version": "1:2.25.1-1ubuntu3.13", "version": "1:2.25.1-1ubuntu3.13" }, "cves": [ { "cve": "CVE-2024-32002", "url": "https://ubuntu.com/security/CVE-2024-32002", "cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.", "cve_priority": "medium", "cve_public_date": "2024-05-14 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-32002", "url": "https://ubuntu.com/security/CVE-2024-32002", "cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.", "cve_priority": "medium", "cve_public_date": "2024-05-14 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Facilitation of arbitrary code execution", " - debian/patches/CVE-2024-32002.patch: submodule paths", " must not contains symlinks in builtin/submodule--helper.c.", " - CVE-2024-32002", "" ], "package": "git", "version": "1:2.25.1-1ubuntu3.13", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 13 Jun 2024 12:56:11 -0400" } ], "notes": null }, { "name": "git-man", "from_version": { "source_package_name": "git", "source_package_version": "1:2.25.1-1ubuntu3.12", "version": "1:2.25.1-1ubuntu3.12" }, "to_version": { "source_package_name": "git", "source_package_version": "1:2.25.1-1ubuntu3.13", "version": "1:2.25.1-1ubuntu3.13" }, "cves": [ { "cve": "CVE-2024-32002", "url": "https://ubuntu.com/security/CVE-2024-32002", "cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.", "cve_priority": "medium", "cve_public_date": "2024-05-14 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-32002", "url": "https://ubuntu.com/security/CVE-2024-32002", "cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.", "cve_priority": "medium", "cve_public_date": "2024-05-14 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Facilitation of arbitrary code execution", " - debian/patches/CVE-2024-32002.patch: submodule paths", " must not contains symlinks in builtin/submodule--helper.c.", " - CVE-2024-32002", "" ], "package": "git", "version": "1:2.25.1-1ubuntu3.13", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 13 Jun 2024 12:56:11 -0400" } ], "notes": null }, { "name": "libnetplan0", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.104-0ubuntu2~20.04.4", "version": "0.104-0ubuntu2~20.04.4" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.104-0ubuntu2~20.04.5", "version": "0.104-0ubuntu2~20.04.5" }, "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "changes": [ { "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: weak permissions on secret files, command injection", " - d/p/lp2065738/0015-libnetplan-use-more-restrictive-file-permissions.patch:", " Use more restrictive file permissions to prevent unprivileged users to", " read sensitive data from back end files (LP: #2065738, #1987842)", " - CVE-2022-4968", " - d/p/lp2066258/0016-libnetplan-escape-control-characters.patch:", " Escape control characters in the parser and double quotes in backend files", " - d/p/lp2066258/0017-libnetplan-escape-file-paths.patch:", " Escape special characters in file paths", " - d/p/lp2066258/0018-libnetplan-escape-semicolons-in-service-units.patch:", " Escape isolated semicolons in systemd service units (LP: #2066258)", " * debian/netplan.io.postinst: Add a postinst maintainer script to call the", " generator. It's needed so the file permissions fixes will be applied", " automatically, thanks to danilogondolfo ", "" ], "package": "netplan.io", "version": "0.104-0ubuntu2~20.04.5", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "author": "Sudhakar Verma ", "date": "Mon, 24 Jun 2024 22:03:31 +0530" } ], "notes": null }, { "name": "linux-headers-generic", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.186.184", "version": "5.4.0.186.184" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-187", "" ], "package": "linux-meta", "version": "5.4.0.187.185", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 10:02:39 +0200" } ], "notes": null }, { "name": "linux-headers-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.186.184", "version": "5.4.0.186.184" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-187", "" ], "package": "linux-meta", "version": "5.4.0.187.185", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 10:02:39 +0200" } ], "notes": null }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.186.184", "version": "5.4.0.186.184" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-187", "" ], "package": "linux-meta", "version": "5.4.0.187.185", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 10:02:39 +0200" } ], "notes": null }, { "name": "linux-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.186.184", "version": "5.4.0.186.184" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "5.4.0.187.185", "version": "5.4.0.187.185" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-187", "" ], "package": "linux-meta", "version": "5.4.0.187.185", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 10:02:39 +0200" } ], "notes": null }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "0.104-0ubuntu2~20.04.4", "version": "0.104-0ubuntu2~20.04.4" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "0.104-0ubuntu2~20.04.5", "version": "0.104-0ubuntu2~20.04.5" }, "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "changes": [ { "cves": [ { "cve": "CVE-2022-4968", "url": "https://ubuntu.com/security/CVE-2022-4968", "cve_description": "netplan leaks the private key of wireguard to local users. A security fix will be released soon.", "cve_priority": "medium", "cve_public_date": "2024-06-07 01:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: weak permissions on secret files, command injection", " - d/p/lp2065738/0015-libnetplan-use-more-restrictive-file-permissions.patch:", " Use more restrictive file permissions to prevent unprivileged users to", " read sensitive data from back end files (LP: #2065738, #1987842)", " - CVE-2022-4968", " - d/p/lp2066258/0016-libnetplan-escape-control-characters.patch:", " Escape control characters in the parser and double quotes in backend files", " - d/p/lp2066258/0017-libnetplan-escape-file-paths.patch:", " Escape special characters in file paths", " - d/p/lp2066258/0018-libnetplan-escape-semicolons-in-service-units.patch:", " Escape isolated semicolons in systemd service units (LP: #2066258)", " * debian/netplan.io.postinst: Add a postinst maintainer script to call the", " generator. It's needed so the file permissions fixes will be applied", " automatically, thanks to danilogondolfo ", "" ], "package": "netplan.io", "version": "0.104-0ubuntu2~20.04.5", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [ 2065738, 1987842, 2066258 ], "author": "Sudhakar Verma ", "date": "Mon, 24 Jun 2024 22:03:31 +0530" } ], "notes": null }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.62+20.04", "version": "2.62+20.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.63+20.04", "version": "2.63+20.04" }, "cves": [], "launchpad_bugs_fixed": [ 2061179, 2058277 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2061179", " - Support for snap services to show the current status of user", " services (experimental)", " - Refresh app awareness: record snap-run-inhibit notice when", " starting app from snap that is busy with refresh (experimental)", " - Refresh app awareness: use warnings as fallback for desktop", " notifications (experimental)", " - Aspect based configuration: make request fields in the aspect-", " bundle's rules optional (experimental)", " - Aspect based configuration: make map keys conform to the same", " format as path sub-keys (experimental)", " - Aspect based configuration: make unset and set behaviour similar", " to configuration options (experimental)", " - Aspect based configuration: limit nesting level for setting value", " (experimental)", " - Components: use symlinks to point active snap component revisions", " - Components: add model assertion support for components", " - Components: fix to ensure local component installation always gets", " a new revision number", " - Add basic support for a CIFS remote filesystem-based home", " directory", " - Add support for AppArmor profile kill mode to avoid snap-confine", " error", " - Allow more than one interface to grant access to the same API", " endpoint or notice type", " - Allow all snapd service's control group processes to send systemd", " notifications to prevent warnings flooding the log", " - Enable not preseeded single boot install", " - Update secboot to handle new sbatlevel", " - Fix to not use cgroup for non-strict confined snaps (devmode,", " classic)", " - Fix two race conditions relating to freedesktop notifications", " - Fix missing tunables in snap-update-ns AppArmor template", " - Fix rejection of snapd snap udev command line by older host snap-", " device-helper", " - Rework seccomp allow/deny list", " - Clean up files removed by gadgets", " - Remove non-viable boot chains to avoid secboot failure", " - posix_mq interface: add support for missing time64 mqueue syscalls", " mq_timedreceive_time64 and mq_timedsend_time64", " - password-manager-service interface: allow kwalletd version 6", " - kubernetes-support interface: allow SOCK_SEQPACKET sockets", " - system-observe interface: allow listing systemd units and their", " properties", " - opengl interface: enable use of nvidia container toolkit CDI", " config generation", "" ], "package": "snapd", "version": "2.63+20.04", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2061179 ], "author": "Ernest Lotter ", "date": "Wed, 24 Apr 2024 02:00:39 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2058277", " - Aspects based configuration schema support (experimental)", " - Refresh app awareness support for UI (experimental)", " - Support for user daemons by introducing new control switches", " --user/--system/--users for service start/stop/restart", " (experimental)", " - Add AppArmor prompting experimental flag (feature currently", " unsupported)", " - Installation of local snap components of type test", " - Packaging of components with snap pack", " - Expose experimental features supported/enabled in snapd REST API", " endpoint /v2/system-info", " - Support creating and removing recovery systems for use by factory", " reset", " - Enable API route for creating and removing recovery systems using", " /v2/systems with action create and /v2/systems/{label} with action", " remove", " - Lift requirements for fde-setup hook for single boot install", " - Enable single reboot gadget update for UC20+", " - Allow core to be removed on classic systems", " - Support for remodeling on hybrid systems", " - Install desktop files on Ubuntu Core and update after snapd", " upgrade", " - Upgrade sandbox features to account for cgroup v2 device filtering", " - Support snaps to manage their own cgroups", " - Add support for AppArmor 4.0 unconfined profile mode", " - Add AppArmor based read access to /etc/default/keyboard", " - Upgrade to squashfuse 0.5.0", " - Support useradd utility to enable removing Perl dependency for", " UC24+", " - Support for recovery-chooser to use console-conf snap", " - Add support for --uid/--gid using strace-static", " - Add support for notices (from pebble) and expose via the snapd", " REST API endpoints /v2/notices and /v2/notice", " - Add polkit authentication for snapd REST API endpoints", " /v2/snaps/{snap}/conf and /v2/apps", " - Add refresh-inhibit field to snapd REST API endpoint /v2/snaps", " - Add refresh-inhibited select query to REST API endpoint /v2/snaps", " - Take into account validation sets during remodeling", " - Improve offline remodeling to use installed revisions of snaps to", " fulfill the remodel revision requirement", " - Add rpi configuration option sdtv_mode", " - When snapd snap is not installed, pin policy ABI to 4.0 or 3.0 if", " present on host", " - Fix gadget zero-sized disk mapping caused by not ignoring zero", " sized storage traits", " - Fix gadget install case where size of existing partition was not", " correctly taken into account", " - Fix trying to unmount early kernel mount if it does not exist", " - Fix restarting mount units on snapd start", " - Fix call to udev in preseed mode", " - Fix to ensure always setting up the device cgroup for base bare", " and core24+", " - Fix not copying data from newly set homedirs on revision change", " - Fix leaving behind empty snap home directories after snap is", " removed (resulting in broken symlink)", " - Fix to avoid using libzstd from host by adding to snapd snap", " - Fix autorefresh to correctly handle forever refresh hold", " - Fix username regex allowed for system-user assertion to not allow", " '+'", " - Fix incorrect application icon for notification after autorefresh", " completion", " - Fix to restart mount units when changed", " - Fix to support AppArmor running under incus", " - Fix case of snap-update-ns dropping synthetic mounts due to", " failure to match desired mount dependencies", " - Fix parsing of base snap version to enable pre-seeding of Ubuntu", " Core Desktop", " - Fix packaging and tests for various distributions", " - Add remoteproc interface to allow developers to interact with", " Remote Processor Framework which enables snaps to load firmware to", " ARM Cortex microcontrollers", " - Add kernel-control interface to enable controlling the kernel", " firmware search path", " - Add nfs-mount interface to allow mounting of NFS shares", " - Add ros-opt-data interface to allow snaps to access the host", " /opt/ros/ paths", " - Add snap-refresh-observe interface that provides refresh-app-", " awareness clients access to relevant snapd API endpoints", " - steam-support interface: generalize Pressure Vessel root paths and", " allow access to driver information, features and container", " versions", " - steam-support interface: make implicit on Ubuntu Core Desktop", " - desktop interface: improved support for Ubuntu Core Desktop and", " limit autoconnection to implicit slots", " - cups-control interface: make autoconnect depend on presence of", " cupsd on host to ensure it works on classic systems", " - opengl interface: allow read access to /usr/share/nvidia", " - personal-files interface: extend to support automatic creation of", " missing parent directories in write paths", " - network-control interface: allow creating /run/resolveconf", " - network-setup-control and network-setup-observe interfaces: allow", " busctl bind as required for systemd 254+", " - libvirt interface: allow r/w access to /run/libvirt/libvirt-sock-", " ro and read access to /var/lib/libvirt/dnsmasq/**", " - fwupd interface: allow access to IMPI devices (including locking", " of device nodes), sysfs attributes needed by amdgpu and the COD", " capsule update directory", " - uio interface: allow configuring UIO drivers from userspace", " libraries", " - serial-port interface: add support for NXP Layerscape SoC", " - lxd-support interface: add attribute enable-unconfined-mode to", " require LXD to opt-in to run unconfined", " - block-devices interface: add support for ZFS volumes", " - system-packages-doc interface: add support for reading jquery and", " sphinx documentation", " - system-packages-doc interface: workaround to prevent autoconnect", " failure for snaps using base bare", " - microceph-support interface: allow more types of block devices to", " be added as an OSD", " - mount-observe interface: allow read access to", " /proc/{pid}/task/{tid}/mounts and proc/{pid}/task/{tid}/mountinfo", " - polkit interface: changed to not be implicit on core because", " installing policy files is not possible", " - upower-observe interface: allow stats refresh", " - gpg-public-keys interface: allow creating lock file for certain", " gpg operations", " - shutdown interface: allow access to SetRebootParameter method", " - media-control interface: allow device file locking", " - u2f-devices interface: support for Trustkey G310H, JaCarta U2F,", " Kensington VeriMark Guard, RSA DS100, Google Titan v2", "" ], "package": "snapd", "version": "2.62", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2058277 ], "author": "Ernest Lotter ", "date": "Thu, 21 Mar 2024 22:06:09 +0200" } ], "notes": null }, { "name": "wget", "from_version": { "source_package_name": "wget", "source_package_version": "1.20.3-1ubuntu2", "version": "1.20.3-1ubuntu2" }, "to_version": { "source_package_name": "wget", "source_package_version": "1.20.3-1ubuntu2.1", "version": "1.20.3-1ubuntu2.1" }, "cves": [ { "cve": "CVE-2024-38428", "url": "https://ubuntu.com/security/CVE-2024-38428", "cve_description": "url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.", "cve_priority": "medium", "cve_public_date": "2024-06-16 03:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-38428", "url": "https://ubuntu.com/security/CVE-2024-38428", "cve_description": "url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent.", "cve_priority": "medium", "cve_public_date": "2024-06-16 03:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: mishandling of semicolons in userinfo", " - debian/patches/CVE-2024-38428.patch: properly re-implement userinfo", " parsing in src/url.c.", " - CVE-2024-38428", "" ], "package": "wget", "version": "1.20.3-1ubuntu2.1", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 19 Jun 2024 08:19:28 -0400" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-187", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-186.206", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "launchpad_bugs_fixed": [ 2068291 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "log": [ "", " * focal/linux: 5.4.0-187.207 -proposed tracker (LP: #2068291)", "", " * CVE-2024-26925", " - netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", "", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " * CVE-2024-2201", " - x86/cpufeatures: Add new word for scattered features", " - x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word", " - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file", " - x86/bhi: Add support for clearing branch history at syscall entry", " - x86/bhi: Define SPEC_CTRL_BHI_DIS_S", " - x86/bhi: Enumerate Branch History Injection (BHI) bug", " - x86/bhi: Add BHI mitigation knob", " - x86/bhi: Mitigate KVM by default", " - [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF}", " - x86/bugs: Fix BHI documentation", " - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES", " - x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr'", " - x86/bugs: Fix BHI handling of RRSBA", " - x86/bugs: Clarify that syscall hardening isn't a BHI mitigation", " - x86/bugs: Fix BHI retpoline check", "" ], "package": "linux", "version": "5.4.0-187.207", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2068291 ], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 09:47:52 +0200" } ], "notes": "linux-headers-5.4.0-187 version '5.4.0-187.207' (source package linux version '5.4.0-187.207') was added. linux-headers-5.4.0-187 version '5.4.0-187.207' has the same source package name, linux, as removed package linux-headers-5.4.0-186. As such we can use the source package version of the removed package, '5.4.0-186.206', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-headers-5.4.0-187-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-186.206", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "launchpad_bugs_fixed": [ 2068291 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "log": [ "", " * focal/linux: 5.4.0-187.207 -proposed tracker (LP: #2068291)", "", " * CVE-2024-26925", " - netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", "", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " * CVE-2024-2201", " - x86/cpufeatures: Add new word for scattered features", " - x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word", " - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file", " - x86/bhi: Add support for clearing branch history at syscall entry", " - x86/bhi: Define SPEC_CTRL_BHI_DIS_S", " - x86/bhi: Enumerate Branch History Injection (BHI) bug", " - x86/bhi: Add BHI mitigation knob", " - x86/bhi: Mitigate KVM by default", " - [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF}", " - x86/bugs: Fix BHI documentation", " - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES", " - x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr'", " - x86/bugs: Fix BHI handling of RRSBA", " - x86/bugs: Clarify that syscall hardening isn't a BHI mitigation", " - x86/bugs: Fix BHI retpoline check", "" ], "package": "linux", "version": "5.4.0-187.207", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2068291 ], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 09:47:52 +0200" } ], "notes": "linux-headers-5.4.0-187-generic version '5.4.0-187.207' (source package linux version '5.4.0-187.207') was added. linux-headers-5.4.0-187-generic version '5.4.0-187.207' has the same source package name, linux, as removed package linux-headers-5.4.0-186. As such we can use the source package version of the removed package, '5.4.0-186.206', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-187-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-186.206", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-187.207", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "5.4.0-187.207", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 10:02:46 +0200" } ], "notes": "linux-image-5.4.0-187-generic version '5.4.0-187.207' (source package linux-signed version '5.4.0-187.207') was added. linux-image-5.4.0-187-generic version '5.4.0-187.207' has the same source package name, linux-signed, as removed package linux-image-5.4.0-186-generic. As such we can use the source package version of the removed package, '5.4.0-186.206', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-187-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-186.206", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "5.4.0-187.207", "version": "5.4.0-187.207" }, "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "launchpad_bugs_fixed": [ 2068291 ], "changes": [ { "cves": [ { "cve": "CVE-2024-26925", "url": "https://ubuntu.com/security/CVE-2024-26925", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called.", "cve_priority": "high", "cve_public_date": "2024-04-25 06:15:00 UTC" }, { "cve": "CVE-2024-26643", "url": "https://ubuntu.com/security/CVE-2024-26643", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 (\"netfilter: nf_tables: use timestamp to check for set element timeout\"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f (\"netfilter: nf_tables: mark newset as dead on transaction abort\"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.", "cve_priority": "high", "cve_public_date": "2024-03-21 11:15:00 UTC" }, { "cve": "CVE-2024-2201", "url": "https://ubuntu.com/security/CVE-2024-2201", "cve_description": "[x86: Native Branch History Injection]", "cve_priority": "medium", "cve_public_date": "2024-04-09" } ], "log": [ "", " * focal/linux: 5.4.0-187.207 -proposed tracker (LP: #2068291)", "", " * CVE-2024-26925", " - netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()", " - netfilter: nf_tables: release batch on table validation from abort path", " - netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path", "", " * CVE-2024-26643", " - netfilter: nf_tables: mark set as dead when unbinding anonymous set with", " timeout", "", " * CVE-2024-2201", " - x86/cpufeatures: Add new word for scattered features", " - x86/cpufeatures: Add CPUID_LNX_5 to track recently added Linux-defined word", " - x86/bugs: Change commas to semicolons in 'spectre_v2' sysfs file", " - x86/bhi: Add support for clearing branch history at syscall entry", " - x86/bhi: Define SPEC_CTRL_BHI_DIS_S", " - x86/bhi: Enumerate Branch History Injection (BHI) bug", " - x86/bhi: Add BHI mitigation knob", " - x86/bhi: Mitigate KVM by default", " - [Config] updateconfigs for CONFIG_BHI_{AUTO|ON|OFF}", " - x86/bugs: Fix BHI documentation", " - x86/bugs: Cache the value of MSR_IA32_ARCH_CAPABILITIES", " - x86/bugs: Rename various 'ia32_cap' variables to 'x86_arch_cap_msr'", " - x86/bugs: Fix BHI handling of RRSBA", " - x86/bugs: Clarify that syscall hardening isn't a BHI mitigation", " - x86/bugs: Fix BHI retpoline check", "" ], "package": "linux", "version": "5.4.0-187.207", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2068291 ], "author": "Roxana Nicolescu ", "date": "Mon, 10 Jun 2024 09:47:52 +0200" } ], "notes": "linux-modules-5.4.0-187-generic version '5.4.0-187.207' (source package linux version '5.4.0-187.207') was added. linux-modules-5.4.0-187-generic version '5.4.0-187.207' has the same source package name, linux, as removed package linux-headers-5.4.0-186. As such we can use the source package version of the removed package, '5.4.0-186.206', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-186", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-186.206", "version": "5.4.0-186.206" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-headers-5.4.0-186-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-186.206", "version": "5.4.0-186.206" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-186-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "5.4.0-186.206", "version": "5.4.0-186.206" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-186-generic", "from_version": { "source_package_name": "linux", "source_package_version": "5.4.0-186.206", "version": "5.4.0-186.206" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from release image serial 20240612 to 20240626", "from_series": "focal", "to_series": "focal", "from_serial": "20240612", "to_serial": "20240626", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }