{
"summary": {
"snap": {
"added": [],
"removed": [],
"diff": []
},
"deb": {
"added": [],
"removed": [],
"diff": [
"dhcpcd-base",
"git",
"git-man",
"initramfs-tools",
"initramfs-tools-bin",
"initramfs-tools-core",
"klibc-utils",
"libarchive13t64:riscv64",
"libc-bin",
"libc6:riscv64",
"libklibc:riscv64",
"libnss-systemd:riscv64",
"libpam-modules:riscv64",
"libpam-modules-bin",
"libpam-runtime",
"libpam-systemd:riscv64",
"libpam0g:riscv64",
"libsystemd-shared:riscv64",
"libsystemd0:riscv64",
"libudev1:riscv64",
"locales",
"python3-cryptography",
"python3-jinja2",
"systemd",
"systemd-dev",
"systemd-resolved",
"systemd-sysv",
"systemd-timesyncd",
"tzdata",
"ubuntu-pro-client",
"ubuntu-pro-client-l10n",
"udev",
"vim",
"vim-common",
"vim-runtime",
"vim-tiny",
"xxd"
]
}
},
"diff": {
"deb": [
{
"name": "dhcpcd-base",
"from_version": {
"source_package_name": "dhcpcd",
"source_package_version": "1:10.0.6-1ubuntu3",
"version": "1:10.0.6-1ubuntu3"
},
"to_version": {
"source_package_name": "dhcpcd",
"source_package_version": "1:10.0.6-1ubuntu3.1",
"version": "1:10.0.6-1ubuntu3.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064926
],
"changes": [
{
"cves": [],
"log": [
"",
" * hooks/30-hostname: Exit with 0 if setting hostname is not needed",
" This prevents retrying dhcpcd for 5 minutes during boot. (LP: #2064926)",
""
],
"package": "dhcpcd",
"version": "1:10.0.6-1ubuntu3.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064926
],
"author": "Benjamin Drung <bdrung@ubuntu.com>",
"date": "Tue, 07 May 2024 12:12:01 +0200"
}
],
"notes": null
},
{
"name": "git",
"from_version": {
"source_package_name": "git",
"source_package_version": "1:2.43.0-1ubuntu7",
"version": "1:2.43.0-1ubuntu7"
},
"to_version": {
"source_package_name": "git",
"source_package_version": "1:2.43.0-1ubuntu7.1",
"version": "1:2.43.0-1ubuntu7.1"
},
"cves": [
{
"cve": "CVE-2024-32002",
"url": "https://ubuntu.com/security/CVE-2024-32002",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32004",
"url": "https://ubuntu.com/security/CVE-2024-32004",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32020",
"url": "https://ubuntu.com/security/CVE-2024-32020",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32021",
"url": "https://ubuntu.com/security/CVE-2024-32021",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
},
{
"cve": "CVE-2024-32465",
"url": "https://ubuntu.com/security/CVE-2024-32465",
"cve_description": "Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-32002",
"url": "https://ubuntu.com/security/CVE-2024-32002",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32004",
"url": "https://ubuntu.com/security/CVE-2024-32004",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32020",
"url": "https://ubuntu.com/security/CVE-2024-32020",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32021",
"url": "https://ubuntu.com/security/CVE-2024-32021",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
},
{
"cve": "CVE-2024-32465",
"url": "https://ubuntu.com/security/CVE-2024-32465",
"cve_description": "Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: Facilitation of arbitrary code execution",
" - debian/patches/CVE-2024-32002.patch: submodule paths",
" must not contains symlinks in builtin/submodule--helper.c.",
" - CVE-2024-32002",
" * SECURITY UPDATE: Arbitrary code execution",
" - debian/patches/CVE-2024-32004.patch: detect dubious ownership of",
" local repositories in path.c, setup.c, setup.h.",
" - CVE-2024-32004",
" * SECURITY UPDATE: Overwrite of possible malicious hardlink",
" - debian/patches/CVE-2024-32020.patch: refuse clones of unsafe",
" repositories in builtin/clonse.c, t0033-safe-directory.sh.",
" - CVE-2024-32020",
" * SECURITY UPDATE: Unauthenticated attacker to place a repository",
" on their target's local system that contains symlinks",
" - debian/patches/CVE-2024-32021.patch: abort when hardlinked source and",
" target file differ in builtin/clone.c",
" - CVE-2024-32021",
" * SECURITY UPDATE: Arbitrary code execution",
" - debian/patches/CVE-2024-32465.patch: disable lazy-fetching by default",
" in builtin/upload-pack.c, promisor-remote.c",
" - CVE-2024-32465",
""
],
"package": "git",
"version": "1:2.43.0-1ubuntu7.1",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>",
"date": "Mon, 20 May 2024 08:15:04 -0300"
}
],
"notes": null
},
{
"name": "git-man",
"from_version": {
"source_package_name": "git",
"source_package_version": "1:2.43.0-1ubuntu7",
"version": "1:2.43.0-1ubuntu7"
},
"to_version": {
"source_package_name": "git",
"source_package_version": "1:2.43.0-1ubuntu7.1",
"version": "1:2.43.0-1ubuntu7.1"
},
"cves": [
{
"cve": "CVE-2024-32002",
"url": "https://ubuntu.com/security/CVE-2024-32002",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32004",
"url": "https://ubuntu.com/security/CVE-2024-32004",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32020",
"url": "https://ubuntu.com/security/CVE-2024-32020",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32021",
"url": "https://ubuntu.com/security/CVE-2024-32021",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
},
{
"cve": "CVE-2024-32465",
"url": "https://ubuntu.com/security/CVE-2024-32465",
"cve_description": "Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-32002",
"url": "https://ubuntu.com/security/CVE-2024-32002",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32004",
"url": "https://ubuntu.com/security/CVE-2024-32004",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32020",
"url": "https://ubuntu.com/security/CVE-2024-32020",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a \"proper\" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 19:15:00 UTC"
},
{
"cve": "CVE-2024-32021",
"url": "https://ubuntu.com/security/CVE-2024-32021",
"cve_description": "Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, when cloning a local source repository that contains symlinks via the filesystem, Git may create hardlinks to arbitrary user-readable files on the same filesystem as the target repository in the `objects/` directory. Cloning a local repository over the filesystem may creating hardlinks to arbitrary user-owned files on the same filesystem in the target Git repository's `objects/` directory. When cloning a repository over the filesystem (without explicitly specifying the `file://` protocol or `--no-local`), the optimizations for local cloning will be used, which include attempting to hard link the object files instead of copying them. While the code includes checks against symbolic links in the source repository, which were added during the fix for CVE-2022-39253, these checks can still be raced because the hard link operation ultimately follows symlinks. If the object on the filesystem appears as a file during the check, and then a symlink during the operation, this will allow the adversary to bypass the check and create hardlinks in the destination objects directory to arbitrary, user-readable files. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
},
{
"cve": "CVE-2024-32465",
"url": "https://ubuntu.com/security/CVE-2024-32465",
"cve_description": "Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources.",
"cve_priority": "medium",
"cve_public_date": "2024-05-14 20:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: Facilitation of arbitrary code execution",
" - debian/patches/CVE-2024-32002.patch: submodule paths",
" must not contains symlinks in builtin/submodule--helper.c.",
" - CVE-2024-32002",
" * SECURITY UPDATE: Arbitrary code execution",
" - debian/patches/CVE-2024-32004.patch: detect dubious ownership of",
" local repositories in path.c, setup.c, setup.h.",
" - CVE-2024-32004",
" * SECURITY UPDATE: Overwrite of possible malicious hardlink",
" - debian/patches/CVE-2024-32020.patch: refuse clones of unsafe",
" repositories in builtin/clonse.c, t0033-safe-directory.sh.",
" - CVE-2024-32020",
" * SECURITY UPDATE: Unauthenticated attacker to place a repository",
" on their target's local system that contains symlinks",
" - debian/patches/CVE-2024-32021.patch: abort when hardlinked source and",
" target file differ in builtin/clone.c",
" - CVE-2024-32021",
" * SECURITY UPDATE: Arbitrary code execution",
" - debian/patches/CVE-2024-32465.patch: disable lazy-fetching by default",
" in builtin/upload-pack.c, promisor-remote.c",
" - CVE-2024-32465",
""
],
"package": "git",
"version": "1:2.43.0-1ubuntu7.1",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>",
"date": "Mon, 20 May 2024 08:15:04 -0300"
}
],
"notes": null
},
{
"name": "initramfs-tools",
"from_version": {
"source_package_name": "initramfs-tools",
"source_package_version": "0.142ubuntu25",
"version": "0.142ubuntu25"
},
"to_version": {
"source_package_name": "initramfs-tools",
"source_package_version": "0.142ubuntu25.1",
"version": "0.142ubuntu25.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2065037
],
"changes": [
{
"cves": [],
"log": [
"",
" * configure_network: Call dhcpcd with --nolink --noipv4ll to succeed getting",
" a DHCP lease on the first try and avoid a 30 seconds delay (LP: #2065037)",
""
],
"package": "initramfs-tools",
"version": "0.142ubuntu25.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2065037
],
"author": "Benjamin Drung <bdrung@ubuntu.com>",
"date": "Fri, 10 May 2024 15:03:48 +0200"
}
],
"notes": null
},
{
"name": "initramfs-tools-bin",
"from_version": {
"source_package_name": "initramfs-tools",
"source_package_version": "0.142ubuntu25",
"version": "0.142ubuntu25"
},
"to_version": {
"source_package_name": "initramfs-tools",
"source_package_version": "0.142ubuntu25.1",
"version": "0.142ubuntu25.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2065037
],
"changes": [
{
"cves": [],
"log": [
"",
" * configure_network: Call dhcpcd with --nolink --noipv4ll to succeed getting",
" a DHCP lease on the first try and avoid a 30 seconds delay (LP: #2065037)",
""
],
"package": "initramfs-tools",
"version": "0.142ubuntu25.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2065037
],
"author": "Benjamin Drung <bdrung@ubuntu.com>",
"date": "Fri, 10 May 2024 15:03:48 +0200"
}
],
"notes": null
},
{
"name": "initramfs-tools-core",
"from_version": {
"source_package_name": "initramfs-tools",
"source_package_version": "0.142ubuntu25",
"version": "0.142ubuntu25"
},
"to_version": {
"source_package_name": "initramfs-tools",
"source_package_version": "0.142ubuntu25.1",
"version": "0.142ubuntu25.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2065037
],
"changes": [
{
"cves": [],
"log": [
"",
" * configure_network: Call dhcpcd with --nolink --noipv4ll to succeed getting",
" a DHCP lease on the first try and avoid a 30 seconds delay (LP: #2065037)",
""
],
"package": "initramfs-tools",
"version": "0.142ubuntu25.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2065037
],
"author": "Benjamin Drung <bdrung@ubuntu.com>",
"date": "Fri, 10 May 2024 15:03:48 +0200"
}
],
"notes": null
},
{
"name": "klibc-utils",
"from_version": {
"source_package_name": "klibc",
"source_package_version": "2.0.13-4",
"version": "2.0.13-4"
},
"to_version": {
"source_package_name": "klibc",
"source_package_version": "2.0.13-4ubuntu0.1",
"version": "2.0.13-4ubuntu0.1"
},
"cves": [
{
"cve": "CVE-2016-9840",
"url": "https://ubuntu.com/security/CVE-2016-9840",
"cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2016-9841",
"url": "https://ubuntu.com/security/CVE-2016-9841",
"cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2018-25032",
"url": "https://ubuntu.com/security/CVE-2018-25032",
"cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"cve_priority": "medium",
"cve_public_date": "2022-03-25 09:15:00 UTC"
},
{
"cve": "CVE-2022-37434",
"url": "https://ubuntu.com/security/CVE-2022-37434",
"cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"cve_priority": "medium",
"cve_public_date": "2022-08-05 07:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2016-9840",
"url": "https://ubuntu.com/security/CVE-2016-9840",
"cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2016-9841",
"url": "https://ubuntu.com/security/CVE-2016-9841",
"cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2018-25032",
"url": "https://ubuntu.com/security/CVE-2018-25032",
"cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"cve_priority": "medium",
"cve_public_date": "2022-03-25 09:15:00 UTC"
},
{
"cve": "CVE-2022-37434",
"url": "https://ubuntu.com/security/CVE-2022-37434",
"cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"cve_priority": "medium",
"cve_public_date": "2022-08-05 07:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: improper pointer arithmetic",
" - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization",
" in usr/klibc/zlib/inftrees.c.",
" - CVE-2016-9840",
" * SECURITY UPDATE: improper pointer arithmetic",
" - debian/patches/CVE-2016-9841.patch: remove offset pointer optimization",
" in usr/klibc/zlib/inffast.c.",
" - CVE-2016-9841",
" * SECURITY UPDATE: memory corruption during compression",
" - debian/patches/CVE-2018-25032.patch: addresses a bug that can crash",
" deflate on rare inputs when using Z_FIXED.",
" - CVE-2018-25032",
" * SECURITY UPDATE: heap-based buffer over-read",
" - debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check",
" if state->head->extra_max is greater than len before copying, and moves",
" the len assignment to be placed before the check in",
" usr/klibc/zlib/inflate.c.",
" - debian/patches/CVE-2022-37434-2.patch: in the previous patch, the",
" placement of the len assignment was causing issues so it was moved",
" within the conditional check.",
" - CVE-2022-37434",
""
],
"package": "klibc",
"version": "2.0.13-4ubuntu0.1",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Ian Constantin <ian.constantin@canonical.com>",
"date": "Tue, 21 May 2024 11:39:42 +0300"
}
],
"notes": null
},
{
"name": "libarchive13t64:riscv64",
"from_version": {
"source_package_name": "libarchive",
"source_package_version": "3.7.2-2",
"version": "3.7.2-2"
},
"to_version": {
"source_package_name": "libarchive",
"source_package_version": "3.7.2-2ubuntu0.1",
"version": "3.7.2-2ubuntu0.1"
},
"cves": [
{
"cve": "CVE-2024-26256",
"url": "https://ubuntu.com/security/CVE-2024-26256",
"cve_description": "libarchive Remote Code Execution Vulnerability",
"cve_priority": "medium",
"cve_public_date": "2024-04-09 17:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-26256",
"url": "https://ubuntu.com/security/CVE-2024-26256",
"cve_description": "libarchive Remote Code Execution Vulnerability",
"cve_priority": "medium",
"cve_public_date": "2024-04-09 17:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: Remove code execution",
" - debian/patches/CVE-2024-26256.patch: fix OOB in rar e8 filter",
" in libarchive/archive_read_support_format_rar.c.",
" - CVE-2024-26256",
""
],
"package": "libarchive",
"version": "3.7.2-2ubuntu0.1",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>",
"date": "Thu, 30 May 2024 11:57:56 -0300"
}
],
"notes": null
},
{
"name": "libc-bin",
"from_version": {
"source_package_name": "glibc",
"source_package_version": "2.39-0ubuntu8.1",
"version": "2.39-0ubuntu8.1"
},
"to_version": {
"source_package_name": "glibc",
"source_package_version": "2.39-0ubuntu8.2",
"version": "2.39-0ubuntu8.2"
},
"cves": [
{
"cve": "CVE-2024-33599",
"url": "https://ubuntu.com/security/CVE-2024-33599",
"cve_description": "nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33600",
"url": "https://ubuntu.com/security/CVE-2024-33600",
"cve_description": "nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33601",
"url": "https://ubuntu.com/security/CVE-2024-33601",
"cve_description": "nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33602",
"url": "https://ubuntu.com/security/CVE-2024-33602",
"cve_description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-33599",
"url": "https://ubuntu.com/security/CVE-2024-33599",
"cve_description": "nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33600",
"url": "https://ubuntu.com/security/CVE-2024-33600",
"cve_description": "nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33601",
"url": "https://ubuntu.com/security/CVE-2024-33601",
"cve_description": "nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33602",
"url": "https://ubuntu.com/security/CVE-2024-33602",
"cve_description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: Stack-based buffer overflow",
" - debian/patches/CVE-2024-33599.patch: CVE-2024-33599: nscd: Stack-",
" based buffer overflow in netgroup cache.",
" - CVE-2024-33599",
" * SECURITY UPDATE: Null pointer",
" - debian/patches/CVE-2024-33600_1.patch: CVE-2024-33600: nscd: Avoid",
" null pointer crashes after notfound response.",
" - debian/patches/CVE-2024-33600_2.patch: CVE-2024-33600: nscd: Do",
" not send missing not-found response in addgetnetgrentX.",
" - CVE-2024-33600",
" * SECURITY UPDATE: Memory corruption",
" - debian/patches/CVE-2024-33601_33602.patch: CVE-2024-33601, CVE-",
" 2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX.",
" - CVE-2024-33601",
" - CVE-2024-33602",
""
],
"package": "glibc",
"version": "2.39-0ubuntu8.2",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
"date": "Tue, 30 Apr 2024 15:02:13 -0300"
}
],
"notes": null
},
{
"name": "libc6:riscv64",
"from_version": {
"source_package_name": "glibc",
"source_package_version": "2.39-0ubuntu8.1",
"version": "2.39-0ubuntu8.1"
},
"to_version": {
"source_package_name": "glibc",
"source_package_version": "2.39-0ubuntu8.2",
"version": "2.39-0ubuntu8.2"
},
"cves": [
{
"cve": "CVE-2024-33599",
"url": "https://ubuntu.com/security/CVE-2024-33599",
"cve_description": "nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33600",
"url": "https://ubuntu.com/security/CVE-2024-33600",
"cve_description": "nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33601",
"url": "https://ubuntu.com/security/CVE-2024-33601",
"cve_description": "nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33602",
"url": "https://ubuntu.com/security/CVE-2024-33602",
"cve_description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-33599",
"url": "https://ubuntu.com/security/CVE-2024-33599",
"cve_description": "nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33600",
"url": "https://ubuntu.com/security/CVE-2024-33600",
"cve_description": "nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33601",
"url": "https://ubuntu.com/security/CVE-2024-33601",
"cve_description": "nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33602",
"url": "https://ubuntu.com/security/CVE-2024-33602",
"cve_description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: Stack-based buffer overflow",
" - debian/patches/CVE-2024-33599.patch: CVE-2024-33599: nscd: Stack-",
" based buffer overflow in netgroup cache.",
" - CVE-2024-33599",
" * SECURITY UPDATE: Null pointer",
" - debian/patches/CVE-2024-33600_1.patch: CVE-2024-33600: nscd: Avoid",
" null pointer crashes after notfound response.",
" - debian/patches/CVE-2024-33600_2.patch: CVE-2024-33600: nscd: Do",
" not send missing not-found response in addgetnetgrentX.",
" - CVE-2024-33600",
" * SECURITY UPDATE: Memory corruption",
" - debian/patches/CVE-2024-33601_33602.patch: CVE-2024-33601, CVE-",
" 2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX.",
" - CVE-2024-33601",
" - CVE-2024-33602",
""
],
"package": "glibc",
"version": "2.39-0ubuntu8.2",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
"date": "Tue, 30 Apr 2024 15:02:13 -0300"
}
],
"notes": null
},
{
"name": "libklibc:riscv64",
"from_version": {
"source_package_name": "klibc",
"source_package_version": "2.0.13-4",
"version": "2.0.13-4"
},
"to_version": {
"source_package_name": "klibc",
"source_package_version": "2.0.13-4ubuntu0.1",
"version": "2.0.13-4ubuntu0.1"
},
"cves": [
{
"cve": "CVE-2016-9840",
"url": "https://ubuntu.com/security/CVE-2016-9840",
"cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2016-9841",
"url": "https://ubuntu.com/security/CVE-2016-9841",
"cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2018-25032",
"url": "https://ubuntu.com/security/CVE-2018-25032",
"cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"cve_priority": "medium",
"cve_public_date": "2022-03-25 09:15:00 UTC"
},
{
"cve": "CVE-2022-37434",
"url": "https://ubuntu.com/security/CVE-2022-37434",
"cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"cve_priority": "medium",
"cve_public_date": "2022-08-05 07:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2016-9840",
"url": "https://ubuntu.com/security/CVE-2016-9840",
"cve_description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2016-9841",
"url": "https://ubuntu.com/security/CVE-2016-9841",
"cve_description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
"cve_priority": "low",
"cve_public_date": "2017-05-23 04:29:00 UTC"
},
{
"cve": "CVE-2018-25032",
"url": "https://ubuntu.com/security/CVE-2018-25032",
"cve_description": "zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.",
"cve_priority": "medium",
"cve_public_date": "2022-03-25 09:15:00 UTC"
},
{
"cve": "CVE-2022-37434",
"url": "https://ubuntu.com/security/CVE-2022-37434",
"cve_description": "zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).",
"cve_priority": "medium",
"cve_public_date": "2022-08-05 07:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: improper pointer arithmetic",
" - debian/patches/CVE-2016-9840.patch: remove offset pointer optimization",
" in usr/klibc/zlib/inftrees.c.",
" - CVE-2016-9840",
" * SECURITY UPDATE: improper pointer arithmetic",
" - debian/patches/CVE-2016-9841.patch: remove offset pointer optimization",
" in usr/klibc/zlib/inffast.c.",
" - CVE-2016-9841",
" * SECURITY UPDATE: memory corruption during compression",
" - debian/patches/CVE-2018-25032.patch: addresses a bug that can crash",
" deflate on rare inputs when using Z_FIXED.",
" - CVE-2018-25032",
" * SECURITY UPDATE: heap-based buffer over-read",
" - debian/patches/CVE-2022-37434-1.patch: adds an extra condition to check",
" if state->head->extra_max is greater than len before copying, and moves",
" the len assignment to be placed before the check in",
" usr/klibc/zlib/inflate.c.",
" - debian/patches/CVE-2022-37434-2.patch: in the previous patch, the",
" placement of the len assignment was causing issues so it was moved",
" within the conditional check.",
" - CVE-2022-37434",
""
],
"package": "klibc",
"version": "2.0.13-4ubuntu0.1",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Ian Constantin <ian.constantin@canonical.com>",
"date": "Tue, 21 May 2024 11:39:42 +0300"
}
],
"notes": null
},
{
"name": "libnss-systemd:riscv64",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "libpam-modules:riscv64",
"from_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5",
"version": "1.5.3-5ubuntu5"
},
"to_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5.1",
"version": "1.5.3-5ubuntu5.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064360,
2064350
],
"changes": [
{
"cves": [],
"log": [
"",
" [ Sam Hartman ]",
" * Correct Build depends for docbook5 (LP: #2064360)",
" * Depend on libdb-dev again, bringing back pam_userdb (LP: #2064350)",
""
],
"package": "pam",
"version": "1.5.3-5ubuntu5.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064360,
2064350
],
"author": "Dan Bungert <daniel.bungert@canonical.com>",
"date": "Thu, 02 May 2024 16:20:13 -0600"
}
],
"notes": null
},
{
"name": "libpam-modules-bin",
"from_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5",
"version": "1.5.3-5ubuntu5"
},
"to_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5.1",
"version": "1.5.3-5ubuntu5.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064360,
2064350
],
"changes": [
{
"cves": [],
"log": [
"",
" [ Sam Hartman ]",
" * Correct Build depends for docbook5 (LP: #2064360)",
" * Depend on libdb-dev again, bringing back pam_userdb (LP: #2064350)",
""
],
"package": "pam",
"version": "1.5.3-5ubuntu5.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064360,
2064350
],
"author": "Dan Bungert <daniel.bungert@canonical.com>",
"date": "Thu, 02 May 2024 16:20:13 -0600"
}
],
"notes": null
},
{
"name": "libpam-runtime",
"from_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5",
"version": "1.5.3-5ubuntu5"
},
"to_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5.1",
"version": "1.5.3-5ubuntu5.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064360,
2064350
],
"changes": [
{
"cves": [],
"log": [
"",
" [ Sam Hartman ]",
" * Correct Build depends for docbook5 (LP: #2064360)",
" * Depend on libdb-dev again, bringing back pam_userdb (LP: #2064350)",
""
],
"package": "pam",
"version": "1.5.3-5ubuntu5.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064360,
2064350
],
"author": "Dan Bungert <daniel.bungert@canonical.com>",
"date": "Thu, 02 May 2024 16:20:13 -0600"
}
],
"notes": null
},
{
"name": "libpam-systemd:riscv64",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "libpam0g:riscv64",
"from_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5",
"version": "1.5.3-5ubuntu5"
},
"to_version": {
"source_package_name": "pam",
"source_package_version": "1.5.3-5ubuntu5.1",
"version": "1.5.3-5ubuntu5.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064360,
2064350
],
"changes": [
{
"cves": [],
"log": [
"",
" [ Sam Hartman ]",
" * Correct Build depends for docbook5 (LP: #2064360)",
" * Depend on libdb-dev again, bringing back pam_userdb (LP: #2064350)",
""
],
"package": "pam",
"version": "1.5.3-5ubuntu5.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064360,
2064350
],
"author": "Dan Bungert <daniel.bungert@canonical.com>",
"date": "Thu, 02 May 2024 16:20:13 -0600"
}
],
"notes": null
},
{
"name": "libsystemd-shared:riscv64",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "libsystemd0:riscv64",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "libudev1:riscv64",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "locales",
"from_version": {
"source_package_name": "glibc",
"source_package_version": "2.39-0ubuntu8.1",
"version": "2.39-0ubuntu8.1"
},
"to_version": {
"source_package_name": "glibc",
"source_package_version": "2.39-0ubuntu8.2",
"version": "2.39-0ubuntu8.2"
},
"cves": [
{
"cve": "CVE-2024-33599",
"url": "https://ubuntu.com/security/CVE-2024-33599",
"cve_description": "nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33600",
"url": "https://ubuntu.com/security/CVE-2024-33600",
"cve_description": "nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33601",
"url": "https://ubuntu.com/security/CVE-2024-33601",
"cve_description": "nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33602",
"url": "https://ubuntu.com/security/CVE-2024-33602",
"cve_description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-33599",
"url": "https://ubuntu.com/security/CVE-2024-33599",
"cve_description": "nscd: Stack-based buffer overflow in netgroup cache If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33600",
"url": "https://ubuntu.com/security/CVE-2024-33600",
"cve_description": "nscd: Null pointer crashes after notfound response If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33601",
"url": "https://ubuntu.com/security/CVE-2024-33601",
"cve_description": "nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
},
{
"cve": "CVE-2024-33602",
"url": "https://ubuntu.com/security/CVE-2024-33602",
"cve_description": "nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 20:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: Stack-based buffer overflow",
" - debian/patches/CVE-2024-33599.patch: CVE-2024-33599: nscd: Stack-",
" based buffer overflow in netgroup cache.",
" - CVE-2024-33599",
" * SECURITY UPDATE: Null pointer",
" - debian/patches/CVE-2024-33600_1.patch: CVE-2024-33600: nscd: Avoid",
" null pointer crashes after notfound response.",
" - debian/patches/CVE-2024-33600_2.patch: CVE-2024-33600: nscd: Do",
" not send missing not-found response in addgetnetgrentX.",
" - CVE-2024-33600",
" * SECURITY UPDATE: Memory corruption",
" - debian/patches/CVE-2024-33601_33602.patch: CVE-2024-33601, CVE-",
" 2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX.",
" - CVE-2024-33601",
" - CVE-2024-33602",
""
],
"package": "glibc",
"version": "2.39-0ubuntu8.2",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Paulo Flabiano Smorigo <pfsmorigo@canonical.com>",
"date": "Tue, 30 Apr 2024 15:02:13 -0300"
}
],
"notes": null
},
{
"name": "python3-cryptography",
"from_version": {
"source_package_name": "python-cryptography",
"source_package_version": "41.0.7-4build3",
"version": "41.0.7-4build3"
},
"to_version": {
"source_package_name": "python-cryptography",
"source_package_version": "41.0.7-4ubuntu0.1",
"version": "41.0.7-4ubuntu0.1"
},
"cves": [
{
"cve": "CVE-2024-26130",
"url": "https://ubuntu.com/security/CVE-2024-26130",
"cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.",
"cve_priority": "medium",
"cve_public_date": "2024-02-21 17:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-26130",
"url": "https://ubuntu.com/security/CVE-2024-26130",
"cve_description": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.",
"cve_priority": "medium",
"cve_public_date": "2024-02-21 17:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: null pointer dereference",
" - debian/patches/CVE-2024-26130.patch: null check before dereference",
" - CVE-2024-26130",
""
],
"package": "python-cryptography",
"version": "41.0.7-4ubuntu0.1",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Jorge Sancho Larraz <jorge.sancho.larraz@canonical.com>",
"date": "Mon, 27 May 2024 09:18:06 +0200"
}
],
"notes": null
},
{
"name": "python3-jinja2",
"from_version": {
"source_package_name": "jinja2",
"source_package_version": "3.1.2-1ubuntu1",
"version": "3.1.2-1ubuntu1"
},
"to_version": {
"source_package_name": "jinja2",
"source_package_version": "3.1.2-1ubuntu1.1",
"version": "3.1.2-1ubuntu1.1"
},
"cves": [
{
"cve": "CVE-2024-34064",
"url": "https://ubuntu.com/security/CVE-2024-34064",
"cve_description": "Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 15:15:00 UTC"
}
],
"launchpad_bugs_fixed": [],
"changes": [
{
"cves": [
{
"cve": "CVE-2024-34064",
"url": "https://ubuntu.com/security/CVE-2024-34064",
"cve_description": "Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.",
"cve_priority": "medium",
"cve_public_date": "2024-05-06 15:15:00 UTC"
}
],
"log": [
"",
" * SECURITY UPDATE: Cross-Site scripting in xmlattr filter",
" - debian/patches/CVE-2024-34064.patch: disallow invalid characters ",
" in keys to xmlattr filter",
" - CVE-2024-34064",
""
],
"package": "jinja2",
"version": "3.1.2-1ubuntu1.1",
"urgency": "medium",
"distributions": "noble-security",
"launchpad_bugs_fixed": [],
"author": "Nick Galanis <nick.galanis@canonical.com>",
"date": "Tue, 21 May 2024 15:32:08 +0100"
}
],
"notes": null
},
{
"name": "systemd",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "systemd-dev",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "systemd-resolved",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "systemd-sysv",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "systemd-timesyncd",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "tzdata",
"from_version": {
"source_package_name": "tzdata",
"source_package_version": "2024a-2ubuntu1",
"version": "2024a-2ubuntu1"
},
"to_version": {
"source_package_name": "tzdata",
"source_package_version": "2024a-3ubuntu1.1",
"version": "2024a-3ubuntu1.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2062522,
2062522
],
"changes": [
{
"cves": [],
"log": [
"",
" * d/rules: Support creating symlinks pointing to symlinks",
" * Fixup for avoid timezones being symlinks to symlinks (LP: #2062522)",
""
],
"package": "tzdata",
"version": "2024a-3ubuntu1.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2062522
],
"author": "Benjamin Drung <bdrung@ubuntu.com>",
"date": "Fri, 03 May 2024 13:27:11 +0200"
},
{
"cves": [],
"log": [
"",
" * Merge with Debian unstable. Remaining changes:",
" - Ship 2024a ICU timezone data which are utilized by PHP in tzdata-icu",
" - Add autopkgtest test case for ICU timezone data",
" - Do not rename NEWS into changelog.gz, this fixes a build failure on",
" moment-timezone.js",
" - Point Vcs-Browser/Git to Launchpad",
" - generate_debconf_templates: Work around AttributeError on icu import",
""
],
"package": "tzdata",
"version": "2024a-3ubuntu1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [],
"author": "Benjamin Drung <bdrung@ubuntu.com>",
"date": "Fri, 19 Apr 2024 21:51:58 +0200"
},
{
"cves": [],
"log": [
"",
" * Avoid timezones being symlinks to symlinks to avoid breaking C++20 standard",
" expectation (LP: #2062522)",
""
],
"package": "tzdata",
"version": "2024a-3",
"urgency": "medium",
"distributions": "unstable",
"launchpad_bugs_fixed": [
2062522
],
"author": "Benjamin Drung <bdrung@debian.org>",
"date": "Fri, 19 Apr 2024 21:38:15 +0200"
}
],
"notes": null
},
{
"name": "ubuntu-pro-client",
"from_version": {
"source_package_name": "ubuntu-advantage-tools",
"source_package_version": "31.2.3",
"version": "31.2.3"
},
"to_version": {
"source_package_name": "ubuntu-advantage-tools",
"source_package_version": "32.3~24.04",
"version": "32.3~24.04"
},
"cves": [],
"launchpad_bugs_fixed": [
2060732,
2067319,
2066929,
2065573,
2065616,
2060732,
2033313,
2031192
],
"changes": [
{
"cves": [],
"log": [
"",
" * Backport 32.3 to noble (LP: #2060732)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.3~24.04",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2060732
],
"author": "Renan Rodrigo <renanrodrigo@canonical.com>",
"date": "Tue, 28 May 2024 15:15:48 -0300"
},
{
"cves": [],
"log": [
"",
" * d/apparmor: adjust the profiles to account for usr-merge consequences",
" (LP: #2067319)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.3",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2067319
],
"author": "Renan Rodrigo <renanrodrigo@canonical.com>",
"date": "Tue, 28 May 2024 14:43:12 -0300"
},
{
"cves": [],
"log": [
"",
" * d/apparmor: adjust rules for violations found during testing (LP: #2066929)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.2",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2066929
],
"author": "Grant Orndorff <grant.orndorff@canonical.com>",
"date": "Thu, 23 May 2024 10:47:11 -0500"
},
{
"cves": [],
"log": [
"",
" * d/apparmor: allow access for /etc/os-release on all supported",
" profiles (LP: #2065573)",
" * apport: get path for timer job status from the correct place (LP: #2065616)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.1",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2065573,
2065616
],
"author": "Lucas Moura <lucas.moura@canonical.com>",
"date": "Tue, 14 May 2024 11:22:35 +0200"
},
{
"cves": [],
"log": [
"",
" * d/postinst: ensure migrations happen in correct package postinst (GH: #2982)",
" * d/apparmor: introduce new ubuntu_pro_esm_cache apparmor policy",
" * New upstream release 32 (LP: #2060732)",
" - api:",
" + u.pro.attach.token.full_token_attach.v1: add support for attach",
" with token",
" + u.pro.services.disable.v1: add support for disable operation",
" + u.pro.services.enable.v1: add support for enable operation",
" + u.pro.detach.v1: add support for detach operation",
" + u.pro.status.is_attached.v1: add extra fields to API response",
" + u.pro.services.dependencies.v1: add support for service dependencies",
" + u.pro.security.fix.*.plan.v1: update ESM cache during plan API",
" if needed",
" - apt_news: add architectures and packages selectors filters for apt news",
" - cli:",
" + improved cli/log message for unexpected errors (GH: #2600)",
" + properly handle setting empty config values (GH: #2925)",
" - cloud-init: support ubuntu_pro user-data",
" - collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)",
" - config: create public and private config (GH: #2809)",
" - entitlements:",
" + update logic that checks if a service is enabled (LP: #2031192)",
" - fips: warn/confirm with user if enabling fips downgrades the kernel",
" - fix: warn users if ESM cache cannot be updated (GH: #2841)",
" - logging:",
" + use journald logging for all systemd services",
" + add redundancy to secret redaction",
" - messaging:",
" + add consistent messaging for end of contract state",
" + make explicit that unattached enable/disable is a noop (GH: #2487)",
" + make explicit that disabling a disabled service is a noop",
" + make explicit that enabling an enabled service is a noop",
" - notices: filter unreadable notices when listing notices (GH: #2898)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2060732,
2033313,
2031192
],
"author": "Lucas Moura <lucas.moura@canonical.com>",
"date": "Tue, 09 Apr 2024 17:33:36 -0300"
}
],
"notes": null
},
{
"name": "ubuntu-pro-client-l10n",
"from_version": {
"source_package_name": "ubuntu-advantage-tools",
"source_package_version": "31.2.3",
"version": "31.2.3"
},
"to_version": {
"source_package_name": "ubuntu-advantage-tools",
"source_package_version": "32.3~24.04",
"version": "32.3~24.04"
},
"cves": [],
"launchpad_bugs_fixed": [
2060732,
2067319,
2066929,
2065573,
2065616,
2060732,
2033313,
2031192
],
"changes": [
{
"cves": [],
"log": [
"",
" * Backport 32.3 to noble (LP: #2060732)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.3~24.04",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2060732
],
"author": "Renan Rodrigo <renanrodrigo@canonical.com>",
"date": "Tue, 28 May 2024 15:15:48 -0300"
},
{
"cves": [],
"log": [
"",
" * d/apparmor: adjust the profiles to account for usr-merge consequences",
" (LP: #2067319)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.3",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2067319
],
"author": "Renan Rodrigo <renanrodrigo@canonical.com>",
"date": "Tue, 28 May 2024 14:43:12 -0300"
},
{
"cves": [],
"log": [
"",
" * d/apparmor: adjust rules for violations found during testing (LP: #2066929)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.2",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2066929
],
"author": "Grant Orndorff <grant.orndorff@canonical.com>",
"date": "Thu, 23 May 2024 10:47:11 -0500"
},
{
"cves": [],
"log": [
"",
" * d/apparmor: allow access for /etc/os-release on all supported",
" profiles (LP: #2065573)",
" * apport: get path for timer job status from the correct place (LP: #2065616)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32.1",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2065573,
2065616
],
"author": "Lucas Moura <lucas.moura@canonical.com>",
"date": "Tue, 14 May 2024 11:22:35 +0200"
},
{
"cves": [],
"log": [
"",
" * d/postinst: ensure migrations happen in correct package postinst (GH: #2982)",
" * d/apparmor: introduce new ubuntu_pro_esm_cache apparmor policy",
" * New upstream release 32 (LP: #2060732)",
" - api:",
" + u.pro.attach.token.full_token_attach.v1: add support for attach",
" with token",
" + u.pro.services.disable.v1: add support for disable operation",
" + u.pro.services.enable.v1: add support for enable operation",
" + u.pro.detach.v1: add support for detach operation",
" + u.pro.status.is_attached.v1: add extra fields to API response",
" + u.pro.services.dependencies.v1: add support for service dependencies",
" + u.pro.security.fix.*.plan.v1: update ESM cache during plan API",
" if needed",
" - apt_news: add architectures and packages selectors filters for apt news",
" - cli:",
" + improved cli/log message for unexpected errors (GH: #2600)",
" + properly handle setting empty config values (GH: #2925)",
" - cloud-init: support ubuntu_pro user-data",
" - collect-logs: update default output file to pro_logs.tar.gz (LP: #2033313)",
" - config: create public and private config (GH: #2809)",
" - entitlements:",
" + update logic that checks if a service is enabled (LP: #2031192)",
" - fips: warn/confirm with user if enabling fips downgrades the kernel",
" - fix: warn users if ESM cache cannot be updated (GH: #2841)",
" - logging:",
" + use journald logging for all systemd services",
" + add redundancy to secret redaction",
" - messaging:",
" + add consistent messaging for end of contract state",
" + make explicit that unattached enable/disable is a noop (GH: #2487)",
" + make explicit that disabling a disabled service is a noop",
" + make explicit that enabling an enabled service is a noop",
" - notices: filter unreadable notices when listing notices (GH: #2898)",
""
],
"package": "ubuntu-advantage-tools",
"version": "32",
"urgency": "medium",
"distributions": "oracular",
"launchpad_bugs_fixed": [
2060732,
2033313,
2031192
],
"author": "Lucas Moura <lucas.moura@canonical.com>",
"date": "Tue, 09 Apr 2024 17:33:36 -0300"
}
],
"notes": null
},
{
"name": "udev",
"from_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8",
"version": "255.4-1ubuntu8"
},
"to_version": {
"source_package_name": "systemd",
"source_package_version": "255.4-1ubuntu8.1",
"version": "255.4-1ubuntu8.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"changes": [
{
"cves": [],
"log": [
"",
" * debian/systemd-resolved.postinst: ignore cp failure (LP: #2047975)",
" * debian/systemd.postinst: don't restart user managers if too old (LP: #2054761)",
" * switch-root: use MS_MOVE for /run when switchig from initrd (LP: #2064096)",
" * test: check for kernel.apparmor_restrict_unprivileged_userns (LP: #2065964)",
""
],
"package": "systemd",
"version": "255.4-1ubuntu8.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2047975,
2054761,
2064096,
2065964
],
"author": "Nick Rosbrook <enr0n@ubuntu.com>",
"date": "Fri, 17 May 2024 10:47:34 +0200"
}
],
"notes": null
},
{
"name": "vim",
"from_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7",
"version": "2:9.1.0016-1ubuntu7"
},
"to_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7.1",
"version": "2:9.1.0016-1ubuntu7.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064687
],
"changes": [
{
"cves": [],
"log": [
"",
" * Ensure Ubuntu codenames are current (LP: #2064687).",
""
],
"package": "vim",
"version": "2:9.1.0016-1ubuntu7.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064687
],
"author": "Simon Quigley <tsimonq2@ubuntu.com>",
"date": "Thu, 02 May 2024 21:45:42 -0500"
}
],
"notes": null
},
{
"name": "vim-common",
"from_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7",
"version": "2:9.1.0016-1ubuntu7"
},
"to_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7.1",
"version": "2:9.1.0016-1ubuntu7.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064687
],
"changes": [
{
"cves": [],
"log": [
"",
" * Ensure Ubuntu codenames are current (LP: #2064687).",
""
],
"package": "vim",
"version": "2:9.1.0016-1ubuntu7.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064687
],
"author": "Simon Quigley <tsimonq2@ubuntu.com>",
"date": "Thu, 02 May 2024 21:45:42 -0500"
}
],
"notes": null
},
{
"name": "vim-runtime",
"from_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7",
"version": "2:9.1.0016-1ubuntu7"
},
"to_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7.1",
"version": "2:9.1.0016-1ubuntu7.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064687
],
"changes": [
{
"cves": [],
"log": [
"",
" * Ensure Ubuntu codenames are current (LP: #2064687).",
""
],
"package": "vim",
"version": "2:9.1.0016-1ubuntu7.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064687
],
"author": "Simon Quigley <tsimonq2@ubuntu.com>",
"date": "Thu, 02 May 2024 21:45:42 -0500"
}
],
"notes": null
},
{
"name": "vim-tiny",
"from_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7",
"version": "2:9.1.0016-1ubuntu7"
},
"to_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7.1",
"version": "2:9.1.0016-1ubuntu7.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064687
],
"changes": [
{
"cves": [],
"log": [
"",
" * Ensure Ubuntu codenames are current (LP: #2064687).",
""
],
"package": "vim",
"version": "2:9.1.0016-1ubuntu7.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064687
],
"author": "Simon Quigley <tsimonq2@ubuntu.com>",
"date": "Thu, 02 May 2024 21:45:42 -0500"
}
],
"notes": null
},
{
"name": "xxd",
"from_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7",
"version": "2:9.1.0016-1ubuntu7"
},
"to_version": {
"source_package_name": "vim",
"source_package_version": "2:9.1.0016-1ubuntu7.1",
"version": "2:9.1.0016-1ubuntu7.1"
},
"cves": [],
"launchpad_bugs_fixed": [
2064687
],
"changes": [
{
"cves": [],
"log": [
"",
" * Ensure Ubuntu codenames are current (LP: #2064687).",
""
],
"package": "vim",
"version": "2:9.1.0016-1ubuntu7.1",
"urgency": "medium",
"distributions": "noble",
"launchpad_bugs_fixed": [
2064687
],
"author": "Simon Quigley <tsimonq2@ubuntu.com>",
"date": "Thu, 02 May 2024 21:45:42 -0500"
}
],
"notes": null
}
],
"snap": []
},
"added": {
"deb": [],
"snap": []
},
"removed": {
"deb": [],
"snap": []
},
"notes": "Changelog diff for Ubuntu 24.04 noble image from release image serial 20240523.1 to 20240605.1",
"from_series": "noble",
"to_series": "noble",
"from_serial": "20240523.1",
"to_serial": "20240605.1",
"from_manifest_filename": "release_manifest.previous",
"to_manifest_filename": "manifest.current"
}