{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "bind9-dnsutils",
                "bind9-host",
                "bind9-libs",
                "cloud-init",
                "libgstreamer1.0-0"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "bind9-dnsutils",
                "from_version": {
                    "source_package_name": "bind9",
                    "source_package_version": "1:9.18.28-0ubuntu0.20.04.1",
                    "version": "1:9.18.28-0ubuntu0.20.04.1"
                },
                "to_version": {
                    "source_package_name": "bind9",
                    "source_package_version": "1:9.18.30-0ubuntu0.20.04.1",
                    "version": "1:9.18.30-0ubuntu0.20.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2073310
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * New upstream release 9.18.30 (LP: #2073310)",
                            "    - Features:",
                            "      + Print initial working directory during named startup, and changed",
                            "        working directory when loading or reloading the configuration file",
                            "      + Add max-query-restarts configuration statement",
                            "    - Updates:",
                            "      + Restrain named to specified number of cores when running via taskset,",
                            "        cpuset, or numactl",
                            "      + Reduce default max-recursion-queries value from 100 to 32",
                            "      + Raise the log level of priming failures",
                            "    - Bug Fixes:",
                            "      + Fix privacy verification of EDDSA keys",
                            "      + Fix algorithm rollover bug when there are two keys with the same keytag",
                            "      + Return SERVFAIL for a too long CNAME chain",
                            "      + Reconfigure catz member zones during named reconfiguration",
                            "      + Update key lifetime and metadata after dnssec-policy reconfiguration",
                            "      + Fix generation of 6to4-self name expansion from IPv4 address",
                            "      + Fix invalid dig +yaml output",
                            "      + Reject zero-length ALPN during SVBC ALPN text parsing",
                            "      + Fix false QNAME minimisation error being reported",
                            "      + Fix dig +timeout argument when using +http",
                            "    - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional",
                            "      information. ",
                            ""
                        ],
                        "package": "bind9",
                        "version": "1:9.18.30-0ubuntu0.20.04.1",
                        "urgency": "medium",
                        "distributions": "focal",
                        "launchpad_bugs_fixed": [
                            2073310
                        ],
                        "author": "Lena Voytek <lena.voytek@canonical.com>",
                        "date": "Mon, 23 Sep 2024 17:21:48 -0400"
                    }
                ],
                "notes": null
            },
            {
                "name": "bind9-host",
                "from_version": {
                    "source_package_name": "bind9",
                    "source_package_version": "1:9.18.28-0ubuntu0.20.04.1",
                    "version": "1:9.18.28-0ubuntu0.20.04.1"
                },
                "to_version": {
                    "source_package_name": "bind9",
                    "source_package_version": "1:9.18.30-0ubuntu0.20.04.1",
                    "version": "1:9.18.30-0ubuntu0.20.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2073310
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * New upstream release 9.18.30 (LP: #2073310)",
                            "    - Features:",
                            "      + Print initial working directory during named startup, and changed",
                            "        working directory when loading or reloading the configuration file",
                            "      + Add max-query-restarts configuration statement",
                            "    - Updates:",
                            "      + Restrain named to specified number of cores when running via taskset,",
                            "        cpuset, or numactl",
                            "      + Reduce default max-recursion-queries value from 100 to 32",
                            "      + Raise the log level of priming failures",
                            "    - Bug Fixes:",
                            "      + Fix privacy verification of EDDSA keys",
                            "      + Fix algorithm rollover bug when there are two keys with the same keytag",
                            "      + Return SERVFAIL for a too long CNAME chain",
                            "      + Reconfigure catz member zones during named reconfiguration",
                            "      + Update key lifetime and metadata after dnssec-policy reconfiguration",
                            "      + Fix generation of 6to4-self name expansion from IPv4 address",
                            "      + Fix invalid dig +yaml output",
                            "      + Reject zero-length ALPN during SVBC ALPN text parsing",
                            "      + Fix false QNAME minimisation error being reported",
                            "      + Fix dig +timeout argument when using +http",
                            "    - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional",
                            "      information. ",
                            ""
                        ],
                        "package": "bind9",
                        "version": "1:9.18.30-0ubuntu0.20.04.1",
                        "urgency": "medium",
                        "distributions": "focal",
                        "launchpad_bugs_fixed": [
                            2073310
                        ],
                        "author": "Lena Voytek <lena.voytek@canonical.com>",
                        "date": "Mon, 23 Sep 2024 17:21:48 -0400"
                    }
                ],
                "notes": null
            },
            {
                "name": "bind9-libs",
                "from_version": {
                    "source_package_name": "bind9",
                    "source_package_version": "1:9.18.28-0ubuntu0.20.04.1",
                    "version": "1:9.18.28-0ubuntu0.20.04.1"
                },
                "to_version": {
                    "source_package_name": "bind9",
                    "source_package_version": "1:9.18.30-0ubuntu0.20.04.1",
                    "version": "1:9.18.30-0ubuntu0.20.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2073310
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * New upstream release 9.18.30 (LP: #2073310)",
                            "    - Features:",
                            "      + Print initial working directory during named startup, and changed",
                            "        working directory when loading or reloading the configuration file",
                            "      + Add max-query-restarts configuration statement",
                            "    - Updates:",
                            "      + Restrain named to specified number of cores when running via taskset,",
                            "        cpuset, or numactl",
                            "      + Reduce default max-recursion-queries value from 100 to 32",
                            "      + Raise the log level of priming failures",
                            "    - Bug Fixes:",
                            "      + Fix privacy verification of EDDSA keys",
                            "      + Fix algorithm rollover bug when there are two keys with the same keytag",
                            "      + Return SERVFAIL for a too long CNAME chain",
                            "      + Reconfigure catz member zones during named reconfiguration",
                            "      + Update key lifetime and metadata after dnssec-policy reconfiguration",
                            "      + Fix generation of 6to4-self name expansion from IPv4 address",
                            "      + Fix invalid dig +yaml output",
                            "      + Reject zero-length ALPN during SVBC ALPN text parsing",
                            "      + Fix false QNAME minimisation error being reported",
                            "      + Fix dig +timeout argument when using +http",
                            "    - See https://bind9.readthedocs.io/en/v9.18.30/notes.html for additional",
                            "      information. ",
                            ""
                        ],
                        "package": "bind9",
                        "version": "1:9.18.30-0ubuntu0.20.04.1",
                        "urgency": "medium",
                        "distributions": "focal",
                        "launchpad_bugs_fixed": [
                            2073310
                        ],
                        "author": "Lena Voytek <lena.voytek@canonical.com>",
                        "date": "Mon, 23 Sep 2024 17:21:48 -0400"
                    }
                ],
                "notes": null
            },
            {
                "name": "cloud-init",
                "from_version": {
                    "source_package_name": "cloud-init",
                    "source_package_version": "24.3.1-0ubuntu0~20.04.1",
                    "version": "24.3.1-0ubuntu0~20.04.1"
                },
                "to_version": {
                    "source_package_name": "cloud-init",
                    "source_package_version": "24.4-0ubuntu1~20.04.1",
                    "version": "24.4-0ubuntu1~20.04.1"
                },
                "cves": [],
                "launchpad_bugs_fixed": [
                    2089577
                ],
                "changes": [
                    {
                        "cves": [],
                        "log": [
                            "",
                            "  * add d/p/grub-dpkg-support.patch",
                            "    - Revert the removal of grub-dpkg from default modules",
                            "  * Move d/p/drop-unsupported-systemd-condition-environment.patch",
                            "    later in series and refresh as to not be overwritten by",
                            "    no-single-process.patch",
                            "  * refresh patches:",
                            "    - d/p/cli-retain-file-argument-as-main-cmd-arg.patch",
                            "    - d/p/expire-on-hashed-users.patch",
                            "    - d/p/keep-dhclient-as-priority-client.patch",
                            "    - d/p/netplan99-cannot-use-default.patch",
                            "    - d/p/no-nocloud-network.patch",
                            "    - d/p/no-single-process.patch",
                            "    - d/p/revert-551f560d-cloud-config-after-snap-seeding.patch",
                            "    - d/p/status-do-not-remove-duplicated-data.patch",
                            "  * Upstream snapshot based on 24.4. (LP: #2089577).",
                            "    List of changes from upstream can be found at",
                            "    https://raw.githubusercontent.com/canonical/cloud-init/24.4/ChangeLog",
                            ""
                        ],
                        "package": "cloud-init",
                        "version": "24.4-0ubuntu1~20.04.1",
                        "urgency": "medium",
                        "distributions": "focal",
                        "launchpad_bugs_fixed": [
                            2089577
                        ],
                        "author": "James Falcon <james.falcon@canonical.com>",
                        "date": "Mon, 25 Nov 2024 11:53:40 -0600"
                    }
                ],
                "notes": null
            },
            {
                "name": "libgstreamer1.0-0",
                "from_version": {
                    "source_package_name": "gstreamer1.0",
                    "source_package_version": "1.16.3-0ubuntu1.1",
                    "version": "1.16.3-0ubuntu1.1"
                },
                "to_version": {
                    "source_package_name": "gstreamer1.0",
                    "source_package_version": "1.16.3-0ubuntu1.2",
                    "version": "1.16.3-0ubuntu1.2"
                },
                "cves": [
                    {
                        "cve": "CVE-2024-47606",
                        "url": "https://ubuntu.com/security/CVE-2024-47606",
                        "cve_description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.",
                        "cve_priority": "medium",
                        "cve_public_date": "2024-12-12 02:03:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2024-47606",
                                "url": "https://ubuntu.com/security/CVE-2024-47606",
                                "cve_description": "GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.",
                                "cve_priority": "medium",
                                "cve_public_date": "2024-12-12 02:03:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: code exec via integer overflow",
                            "    - debian/patches/CVE-2024-47606.patch: avoid integer overflow when",
                            "      allocating sysmem in gst/gstallocator.c.",
                            "    - CVE-2024-47606",
                            ""
                        ],
                        "package": "gstreamer1.0",
                        "version": "1.16.3-0ubuntu1.2",
                        "urgency": "medium",
                        "distributions": "focal-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Marc Deslauriers <marc.deslauriers@ubuntu.com>",
                        "date": "Tue, 17 Dec 2024 08:06:24 -0500"
                    }
                ],
                "notes": null
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20241216 to 20250109",
    "from_series": "focal",
    "to_series": "focal",
    "from_serial": "20241216",
    "to_serial": "20250109",
    "from_manifest_filename": "daily_manifest.previous",
    "to_manifest_filename": "manifest.current"
}