{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.17.0-23-generic", "linux-modules-6.17.0-23-generic" ], "removed": [ "linux-image-6.17.0-22-generic", "linux-modules-6.17.0-22-generic" ], "diff": [ "kmod", "libcap2", "libcap2-bin", "libkmod2", "linux-image-virtual", "openssh-client", "openssh-server", "openssh-sftp-server", "python3-distupgrade", "snapd", "ubuntu-pro-client", "ubuntu-release-upgrader-core", "xxd" ] } }, "diff": { "deb": [ { "name": "kmod", "from_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu1", "version": "34.2-2ubuntu1" }, "to_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu1.1", "version": "34.2-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-23" } ], "launchpad_bugs_fixed": [ 2150743 ], "changes": [ { "cves": [ { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-23" } ], "log": [ "", " * Disable loading of algif_aead module to mitigate CVE-2026-31431", " (LP: #2150743)", " - debian/modprobe.d/disable-algif_aead.conf", "" ], "package": "kmod", "version": "34.2-2ubuntu1.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [ 2150743 ], "author": "Marc Deslauriers ", "date": "Thu, 30 Apr 2026 08:31:34 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcap2", "from_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-7ubuntu2", "version": "1:2.75-7ubuntu2" }, "to_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-7ubuntu2.2", "version": "1:2.75-7ubuntu2.2" }, "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.", "cve_priority": "medium", "cve_public_date": "2026-04-09 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.", "cve_priority": "medium", "cve_public_date": "2026-04-09 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: potential TOCTOU race condition in cap_set_file()", " - debian/patches/CVE-2026-4878.patch: fix race in libcap/cap_file.c,", " progs/quicktest.sh.", " - CVE-2026-4878", "" ], "package": "libcap2", "version": "1:2.75-7ubuntu2.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 09 Apr 2026 11:04:10 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libcap2-bin", "from_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-7ubuntu2", "version": "1:2.75-7ubuntu2" }, "to_version": { "source_package_name": "libcap2", "source_package_version": "1:2.75-7ubuntu2.2", "version": "1:2.75-7ubuntu2.2" }, "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.", "cve_priority": "medium", "cve_public_date": "2026-04-09 16:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-4878", "url": "https://ubuntu.com/security/CVE-2026-4878", "cve_description": "A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the `cap_set_file()` function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.", "cve_priority": "medium", "cve_public_date": "2026-04-09 16:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: potential TOCTOU race condition in cap_set_file()", " - debian/patches/CVE-2026-4878.patch: fix race in libcap/cap_file.c,", " progs/quicktest.sh.", " - CVE-2026-4878", "" ], "package": "libcap2", "version": "1:2.75-7ubuntu2.2", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 09 Apr 2026 11:04:10 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "libkmod2", "from_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu1", "version": "34.2-2ubuntu1" }, "to_version": { "source_package_name": "kmod", "source_package_version": "34.2-2ubuntu1.1", "version": "34.2-2ubuntu1.1" }, "cves": [ { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-23" } ], "launchpad_bugs_fixed": [ 2150743 ], "changes": [ { "cves": [ { "cve": "CVE-2026-31431", "url": "https://ubuntu.com/security/CVE-2026-31431", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly.", "cve_priority": "high", "cve_public_date": "2026-04-23" } ], "log": [ "", " * Disable loading of algif_aead module to mitigate CVE-2026-31431", " (LP: #2150743)", " - debian/modprobe.d/disable-algif_aead.conf", "" ], "package": "kmod", "version": "34.2-2ubuntu1.1", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [ 2150743 ], "author": "Marc Deslauriers ", "date": "Thu, 30 Apr 2026 08:31:34 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.17.0-22.22", "version": "6.17.0-22.22" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.17.0-23.23", "version": "6.17.0-23.23" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-23.23", "" ], "package": "linux-meta", "version": "6.17.0-23.23", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Sat, 11 Apr 2026 23:38:36 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.0p1-5ubuntu5.1", "version": "1:10.0p1-5ubuntu5.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.0p1-5ubuntu5.4", "version": "1:10.0p1-5ubuntu5.4" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2147451 ], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - debian/patches/CVE-2026-35386-2.patch: adapt to username validity", " check change in regress/percent.sh.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkeyfile.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:10.0p1-5ubuntu5.4", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:24:02 -0400" }, { "cves": [], "log": [ "", " * repair test after changes to percent expansion of usernames", " (LP: #2147451)", "" ], "package": "openssh", "version": "1:10.0p1-5ubuntu5.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2147451 ], "author": "Nick Rosbrook ", "date": "Tue, 07 Apr 2026 10:00:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.0p1-5ubuntu5.1", "version": "1:10.0p1-5ubuntu5.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.0p1-5ubuntu5.4", "version": "1:10.0p1-5ubuntu5.4" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2147451 ], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - debian/patches/CVE-2026-35386-2.patch: adapt to username validity", " check change in regress/percent.sh.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkeyfile.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:10.0p1-5ubuntu5.4", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:24:02 -0400" }, { "cves": [], "log": [ "", " * repair test after changes to percent expansion of usernames", " (LP: #2147451)", "" ], "package": "openssh", "version": "1:10.0p1-5ubuntu5.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2147451 ], "author": "Nick Rosbrook ", "date": "Tue, 07 Apr 2026 10:00:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:10.0p1-5ubuntu5.1", "version": "1:10.0p1-5ubuntu5.1" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:10.0p1-5ubuntu5.4", "version": "1:10.0p1-5ubuntu5.4" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2147451 ], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - debian/patches/CVE-2026-35386-2.patch: adapt to username validity", " check change in regress/percent.sh.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkeyfile.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:10.0p1-5ubuntu5.4", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:24:02 -0400" }, { "cves": [], "log": [ "", " * repair test after changes to percent expansion of usernames", " (LP: #2147451)", "" ], "package": "openssh", "version": "1:10.0p1-5ubuntu5.2", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2147451 ], "author": "Nick Rosbrook ", "date": "Tue, 07 Apr 2026 10:00:59 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-distupgrade", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.10.8", "version": "1:25.10.8" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.10.9", "version": "1:25.10.9" }, "cves": [], "launchpad_bugs_fixed": [ 2146830 ], "changes": [ { "cves": [], "log": [ "", " * all: clean forgotten -m references (LP: #2146830)", " * DistUpgrade: correct version number in EOL announcements", " * Run pre-build.sh: updating mirrors.", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.10.9", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2146830 ], "author": "Nick Rosbrook ", "date": "Mon, 30 Mar 2026 15:13:41 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.73+ubuntu25.10.1", "version": "2.73+ubuntu25.10.1" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.74.1+ubuntu25.10.4", "version": "2.74.1+ubuntu25.10.4" }, "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2138629, 2141328, 2139611, 2139300, 2139099, 2141607, 2116949, 2068493, 2134364, 2124239, 2122054, 2117558, 1916244, 2121238, 2117121, 2112626, 2114704 ], "changes": [ { "cves": [ { "cve": "CVE-2026-3888", "url": "https://ubuntu.com/security/CVE-2026-3888", "cve_description": "Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory. This issue affects Ubuntu 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, and 24.04 LTS.", "cve_priority": "high", "cve_public_date": "2026-03-17 14:16:00 UTC" } ], "log": [ " ", " * New upstream release, LP: #2138629", " - FDE: secboot fixes", " - Security: CVE-2026-3888", " - Packaging: fix deb package version number", " - Packaging: fix autopkgtest failure to install spread", " - Packaging: revert dropping transitional packages", "" ], "package": "snapd", "version": "2.74.1+ubuntu25.10.4", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2138629 ], "author": "Ernest Lotter ", "date": "Thu, 02 Apr 2026 08:44:00 +0200" }, { "cves": [], "log": [ "", " - FDE: measure DeployedMode and AuditMode variables if they appear", " as disabled in the event log to avoid a potential reseal-failure", " boot loop", " - LP: #2141328 FDE: reuse preinstall check context during install to", " account for user-ignored errors", " - LP: #2139611 FDE: fix db updates by allowing multiple payloads", " - LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising", " memory lock limit when required", " - LP: #2139099 snap-confine: bump the max element count of the BPF", " map used to store IDs of allowed/matched devices to 1000", " - LP: #2141607 Desktop: revert change that caused user daemons", " declaring the desktop plug to implicitly depend on graphical-", " session.target", " - Interfaces: Added pidfd_open and memfd_secret to seccomp template", " - Interfaces: camera | add locking permission for /dev/video", "" ], "package": "snapd", "version": "2.74.1+ubuntu25.10", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2141328, 2139611, 2139300, 2139099, 2141607 ], "author": "Ernest Lotter ", "date": "Thu, 12 Feb 2026 21:27:23 +0200" }, { "cves": [], "log": [ "", " - FDE: use new activation API from secboot", " - FDE: use activation API also with non keydata keys", " - FDE: ignore internal recovery key expiration during install", " - FDE: support adding/removing PINs post-installation", " - FDE: support changing PINs post-installation", " - FDE: support adding a recovery key post-installation", " - FDE: provide activation status via new endpoint v2/system-", " info/storage-encrypted", " - FDE: support sealing and resealing using the preinstall check", " result", " - FDE: disable passphrase support during install", " - FDE: add keyboard configuration helpers", " - FDE: lazily inject keyboard layout configuration in kernel cmdline", " - FDE: enable pin tries and limits PIN entry attempts to 3", " - FDE: extend secureboot endpoint to accept DB, KEK, and PK", " - FDE: simplify /v2/system-volumes keyslots handling by allowing", " name-only entries, implicitly expanding to all system containers", " - FDE: support extra non-system key slot names to support agents", " such as Landscape to set dedicated recovery keys", " - FDE: initialize fde state after device state", " - FDE: use device node to find the storage container and keys", " - FDE: provide user visible name for disk based on ID_MODEL", " - FDE: update secboot in snapd with latest additions and fixes", " - core-initrd: add systemd service for setting plymouth keyboard", " layout and X11 keyboard layouts", " - core-initrd: set plymouth cleartext toggle option", " - core-initrd: fix plymouth missing font issue", " - core-initrd: update dependency from libteec1 to libteec2", " - core-initrd: add new dlopened libs", " - LP: #2116949 Preseeding: add support for preseeding of hybrid", " systems via the installer API$", " - Preseeding: check whether a path is a mountpoint before remounting", " - Confdb: support tagging paths as secret in storage schemas", " - Confdb: support filtering on placeholder sub-keys", " - Confdb: support filtering in API and confdbstate", " - Confdb: support field filtering on reads", " - Confdb: support \"parameters\" stanza and check filters against them", " - Confdb: add support for '--with' contraints", " - Confdb: parsing fixes and error handling improvements", " - Assertions: restrict serials to new format in confdb-control", " - Assertions: add verify signature function", " - Remote device management: modify request-message assertion to", " expose its time constraints for remote device management", " - Remote device management: support polling of store messages", " - Remote device management: add signing of response messages with", " device key", " - Prompting: enable notify protocol v5 and test prompt restoration", " after snapd restart", " - snap: change malformed '--channel=' warning to error", " - snap: add 'snap report-issue' command to get the available contact", " details for the specified snap", " - snap: add 'snap version --verbose' flag to include information on", " snap binaries origin", " - snap: create the XDG_RUNTIME_DIR folder", " - LP: #2068493 snap: add support for 'snap refresh --tracking'", " - snapctl: add '--tracking' flag to 'snapctl refresh'", " - Reexec: include the info filepath in the version compare debug log", " - Reexec: add support for forcing reexec into and older snapd snap", " by setting SNAP_REEXEC=force in the environment", " - snap-confine: correct error message related to snap-confine group", " policy validation", " - snap-confine: ensure we only mount existing directories", " - LP: #2134364 snap-confine: handle potential race when creating", " /tmp/snap-private-tmp when lacking systemd-tmpfiles support", " - snap-confine: filter plus characters from security tags", " - Desktop: use desktop file IDs as desktop IDs", " - Desktop: store the common ID in the desktop file", " - Desktop: allow graphical daemons to show icons in the dock", " - Desktop: change user daemons with desktop plug defined to depend", " on graphical-session.target", " - dm-verity for essential snaps: made change to prerequisite struct", " - Cross-distro: modify SELinux profile to allow connecting to squid", " proxy", " - Cross-distro: add support for migrating snap mount directory", " - Packaging: drop ubuntu-14.04 packaging", " - Packaging: drop ubuntu-{14.04,16.04} transitional binary packages", " - Packaging: remove desktop files and state lock file during snapd", " purge", " - Packaging: fix inhibition hint file being left behind on failed", " unlink-current-snap", " - Disallow timeouts < 1us in systemd units", " - Add snap-store to the user-daemons support overrides", " - Support for SuccessExitStatus= generation for systemd daemon", " - Make standby output more verbose", " - Add prepare-serial-request hook", " - Try to discard snap mount namespaces when no processes are running", " during snap updates", " - Improve handling of snap downloads cache by introducing periodic", " cleanup with more aggressive policy", " - Interfaces: mediatek-accel | create new interface", " - Interfaces: nvidia-video-driver-libs | create new interface", " - Interfaces: *-driver-libs | accept component paths", " - Interfaces: desktop-legacy, unity7 | remove workaround for slash", " filtering in ibus address", " - Interfaces: fwupd | allow writing reboot notification in /run", " - Interfaces: add 'install' coreutil to base AppArmor template", " - Interfaces: u2f-devices | add apparmor permissions to allow the", " use of the libfido2 library in snaps", " - Interfaces: u2f-devices | add support for Thetis security key", " - Interfaces: add AppArmor workaround for mmap MAP_HUGETLB", " - Interfaces: timeserver-control | manage per-link ntp settings via", " systemd-networkd", "" ], "package": "snapd", "version": "2.74+ubuntu25.10", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2116949, 2068493, 2134364 ], "author": "Ernest Lotter ", "date": "Tue, 20 Jan 2026 18:54:17 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2124239", " - FDE: support replacing TPM protected keys at runtime via the", " /v2/system-volumes endpoint", " - FDE: support secboot preinstall check fix actions for 25.10+", " hybrid installs via the /v2/system/{label} endpoint", " - FDE: tweak polkit message to remove jargon", " - FDE: ensure proper sealing with kernel command line defaults", " - FDE: provide generic reseal function", " - FDE: support using OPTEE for protecting keys, as an alternative to", " existing fde-setup hooks (Ubuntu Core only)", " - Confdb: 'snapctl get --view' supports passing default values", " - Confdb: content sub-rules in confdb-schemas inherit their parent", " rule's \"access\"", " - Confdb: make confdb error kinds used in API more generic", " - Confdb: fully support lists and indexed paths (including unset)", " - Prompting: add notice backend for prompting types (unused for now)", " - Prompting: include request cgroup in prompt", " - Prompting: handle unsupported xattrs", " - Prompting: add permission mapping for the camera interface", " - Notices: read notices from state without state lock", " - Notices: add methods to get notice fields and create, reoccur, and", " deepcopy notice", " - Notices: add notice manager to coordinate separate notice backends", " - Notices: support draining notices from state when notice backend", " registered as producer of a particular notice type", " - Notices: query notice manager from daemon instead of querying", " state for notices directly", " - Packaging: Ubuntu | ignore .git directory", " - Packaging: FIPS | bump deb Go FIPS to 1.23", " - Packaging: snap | bump FIPS toolchain to 1.23", " - Packaging: debian | sync most upstream changes", " - Packaging: debian-sid | depends on libcap2-bin for postint", " - Packaging: Fedora | drop fakeroot", " - Packaging: snap | modify snapd.mk to pass build tags when running", " unit tests", " - Packaging: snap | modify snapd.mk to pass nooptee build tag", " - Packaging: modify Makefile.am to fix snap-confine install profile", " with 'make hack'", " - Packaging: modify Makefile.am to fix out-of-tree use of 'make", " hack'", " - LP: #2122054 Snap installation: skip snap icon download when", " running in a cloud or using a proxy store", " - Snap installation: add timeout to http client when downloading", " snap icon", " - Snap installation: use http(s) proxy for icon downloads", " - LP: #2117558 snap-confine: fix error message with /root/snap not", " accessible", " - snap-confine: fix non-suid limitation by switching to root:root to", " operate v1 freezer", " - core-initrd: do not use writable-paths when not available", " - core-initrd: remove debian folder", " - LP: #1916244 Interfaces: gpio-chardev | re-enable the gpio-chardev", " interface now with the more robust gpio-aggregator configfs kernel", " interface", " - Interfaces: gpio-chardev | exclusive snap connections, raise a", " conflict when both gpio-chardev and gpio are connected", " - Interfaces: gpio-chardev | fix gpio-aggregator module load order", " - Interfaces: ros-snapd-support | grant access to /v2/changes", " - Interfaces: uda-driver-libs, egl-driver-libs, gbm-driver-libs,", " opengl-driver-libs, opengles-driver-libs | new interfaces to", " support nvidia driver components", " - Interfaces: microstack-support | allow DPDK (hugepage related", " permissions)", " - Interfaces: system-observe | allow reading additional files in", " /proc, needed by node-exporter", " - Interfaces: u2f | add Cano Key, Thesis FIDO2 BioFP+ Security Key", " and Kensington VeriMark DT Fingerprint Key to device list", " - Interfaces: snap-interfaces-requests-control | allow shell API", " control", " - Interfaces: fwupd | allow access to Intel CVS sysfs", " - Interfaces: hardware-observe | allow read access to Kernel", " Samepage Merging (KSM)", " - Interfaces: xilinx-dma | support Multi Queue DMA (QDMA) IP", " - Interfaces: spi | relax sysfs permission rules to allow access to", " SPI device node attributes", " - Interfaces: content | introduce compatibility label", " - LP: #2121238 Interfaces: do not expose Kerberos tickets for", " classic snaps", " - Interfaces: ssh-public-keys | allow ro access to public host keys", " with ssh-key", " - Interfaces: Modify AppArmor template to allow listing systemd", " credentials and invoking systemd-creds", " - Interfaces: modify AppArmor template with workarounds for Go 1.35", " cgroup aware GOMAXPROCS", " - Interfaces: modify seccomp template to allow landlock_*", " - Prevent snap hooks from running while relevant snaps are unlinked", " - Make refreshes wait before unlinking snaps if running hooks can be", " affected", " - Fix systemd unit generation by moving \"WantedBy=\" from section", " \"unit\" to \"install\"", " - Add opt-in logging support for snap-update-ns", " - Unhide 'snap help' sign and export-key under Development category", " - LP: #2117121 Cleanly support socket activation for classic snap", " - Add architecture to 'snap version' output", " - Add 'snap debug api' option to disable authentication through", " auth.json", " - Show grade in notes for 'snap info --verbose'", " - Fix preseeding failure due to scan-disk issue on RPi", " - Support 'snap debug api' queries to user session agents", " - LP: #2112626 Improve progress reporting for snap install/refresh", " - Drop legacy BAMF_DESKTOP_FILE_HINT in desktop files", " - Fix /v2/apps error for root user when user services are present", " - LP: #2114704 Extend output to indicate when snap data snapshot was", " created during remove", " - Improve how we handle emmc volumes", " - Improve handling of system-user extra assertions", "" ], "package": "snapd", "version": "2.72", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2124239, 2122054, 2117558, 1916244, 2121238, 2117121, 2112626, 2114704 ], "author": "Ernest Lotter ", "date": "Thu, 18 Sep 2025 10:00:54 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.1ubuntu0~25.10", "version": "37.1ubuntu0~25.10" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.2ubuntu~25.10", "version": "37.2ubuntu~25.10" }, "cves": [], "launchpad_bugs_fixed": [ 2131292 ], "changes": [ { "cves": [], "log": [ "", " * d/apparmor/ubuntu_pro_esm_cache.jinja2: fix \"DENIED\" messages when", " devicetree exists (LP: #2131292)", "" ], "package": "ubuntu-advantage-tools", "version": "37.2ubuntu~25.10", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2131292 ], "author": "Renan Rodrigo ", "date": "Tue, 07 Apr 2026 15:18:57 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-release-upgrader-core", "from_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.10.8", "version": "1:25.10.8" }, "to_version": { "source_package_name": "ubuntu-release-upgrader", "source_package_version": "1:25.10.9", "version": "1:25.10.9" }, "cves": [], "launchpad_bugs_fixed": [ 2146830 ], "changes": [ { "cves": [], "log": [ "", " * all: clean forgotten -m references (LP: #2146830)", " * DistUpgrade: correct version number in EOL announcements", " * Run pre-build.sh: updating mirrors.", "" ], "package": "ubuntu-release-upgrader", "version": "1:25.10.9", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2146830 ], "author": "Nick Rosbrook ", "date": "Mon, 30 Mar 2026 15:13:41 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0967-1ubuntu6.2", "version": "2:9.1.0967-1ubuntu6.2" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0967-1ubuntu6.3", "version": "2:9.1.0967-1ubuntu6.3" }, "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path Traversal in zip.vim", " - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before", " writing in runtime/autoload/zip.vim", " - CVE-2026-35177", " * SECURITY UPDATE: Command Injection in netbeans", " - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg", " before passing to coloncmd in src/netbeans.c", " - CVE-2026-39881", "" ], "package": "vim", "version": "2:9.1.0967-1ubuntu6.3", "urgency": "medium", "distributions": "questing-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Tue, 21 Apr 2026 13:38:35 -0600" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.17.0-23-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.17.0-22.22", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.17.0-23.23", "version": "6.17.0-23.23" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.17.0-23.23", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.17.0-23.23", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Sat, 11 Apr 2026 23:38:45 +0200" } ], "notes": "linux-image-6.17.0-23-generic version '6.17.0-23.23' (source package linux-signed version '6.17.0-23.23') was added. linux-image-6.17.0-23-generic version '6.17.0-23.23' has the same source package name, linux-signed, as removed package linux-image-6.17.0-22-generic. As such we can use the source package version of the removed package, '6.17.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-23-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-22.22", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.17.0-23.23", "version": "6.17.0-23.23" }, "cves": [ { "cve": "CVE-2026-23231", "url": "https://ubuntu.com/security/CVE-2026-23231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.", "cve_priority": "high", "cve_public_date": "2026-03-04 13:15:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2147920, 2144380, 2144522 ], "changes": [ { "cves": [ { "cve": "CVE-2026-23231", "url": "https://ubuntu.com/security/CVE-2026-23231", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tables_addchain() nf_tables_addchain() publishes the chain to table->chains via list_add_tail_rcu() (in nft_chain_add()) before registering hooks. If nf_tables_register_hook() then fails, the error path calls nft_chain_del() (list_del_rcu()) followed by nf_tables_chain_destroy() with no RCU grace period in between. This creates two use-after-free conditions: 1) Control-plane: nf_tables_dump_chains() traverses table->chains under rcu_read_lock(). A concurrent dump can still be walking the chain when the error path frees it. 2) Packet path: for NFPROTO_INET, nf_register_net_hook() briefly installs the IPv4 hook before IPv6 registration fails. Packets entering nft_do_chain() via the transient IPv4 hook can still be dereferencing chain->blob_gen_X when the error path frees the chain. Add synchronize_rcu() between nft_chain_del() and the chain destroy so that all RCU readers -- both dump threads and in-flight packet evaluation -- have finished before the chain is freed.", "cve_priority": "high", "cve_public_date": "2026-03-04 13:15:00 UTC" }, { "cve": "CVE-2026-23209", "url": "https://ubuntu.com/security/CVE-2026-23209", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: macvlan: fix error recovery in macvlan_common_newlink() valis provided a nice repro to crash the kernel: ip link add p1 type veth peer p2 ip link set address 00:00:00:00:00:20 dev p1 ip link set up dev p1 ip link set up dev p2 ip link add mv0 link p2 type macvlan mode source ip link add invalid% link p2 type macvlan mode source macaddr add 00:00:00:00:00:20 ping -c1 -I p1 1.2.3.4 He also gave a very detailed analysis: The issue is triggered when a new macvlan link is created with MACVLAN_MODE_SOURCE mode and MACVLAN_MACADDR_ADD (or MACVLAN_MACADDR_SET) parameter, lower device already has a macvlan port and register_netdevice() called from macvlan_common_newlink() fails (e.g. because of the invalid link name). In this case macvlan_hash_add_source is called from macvlan_change_sources() / macvlan_common_newlink(): This adds a reference to vlan to the port's vlan_source_hash using macvlan_source_entry. vlan is a pointer to the priv data of the link that is being created. When register_netdevice() fails, the error is returned from macvlan_newlink() to rtnl_newlink_create(): if (ops->newlink) err = ops->newlink(dev, ¶ms, extack); else err = register_netdevice(dev); if (err < 0) { free_netdev(dev); goto out; } and free_netdev() is called, causing a kvfree() on the struct net_device that is still referenced in the source entry attached to the lower device's macvlan port. Now all packets sent on the macvlan port with a matching source mac address will trigger a use-after-free in macvlan_forward_source(). With all that, my fix is to make sure we call macvlan_flush_sources() regardless of @create value whenever \"goto destroy_macvlan_port;\" path is taken. Many thanks to valis for following up on this issue.", "cve_priority": "medium", "cve_public_date": "2026-02-14 17:15:00 UTC" }, { "cve": "CVE-2026-23112", "url": "https://ubuntu.com/security/CVE-2026-23112", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec nvmet_tcp_build_pdu_iovec() could walk past cmd->req.sg when a PDU length or offset exceeds sg_cnt and then use bogus sg->length/offset values, leading to _copy_to_iter() GPF/KASAN. Guard sg_idx, remaining entries, and sg->length/offset before building the bvec.", "cve_priority": "high", "cve_public_date": "2026-02-13 14:16:00 UTC" } ], "log": [ "", " * questing/linux: 6.17.0-23.23 -proposed tracker (LP: #2147920)", "", " * CVE-2026-23231", " - netfilter: nf_tables: fix use-after-free in nf_tables_addchain()", "", " * macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path (LP: #2144380) // CVE-2026-23209", " - macvlan: observe an RCU grace period in macvlan_common_newlink() error", " path", "", " * Dell Machines cannot boot into OS with 6.17.0-1012-oem (LP: #2144522)", " - drm/amd: Disable MES LR compute W/A", " - drm/amd: Set minimum version for set_hw_resource_1 on gfx11 to 0x52", "", " * CVE-2026-23112", " - nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec", "" ], "package": "linux", "version": "6.17.0-23.23", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2147920, 2144380, 2144522 ], "author": "Manuel Diewald ", "date": "Sat, 11 Apr 2026 22:54:06 +0200" } ], "notes": "linux-modules-6.17.0-23-generic version '6.17.0-23.23' (source package linux version '6.17.0-23.23') was added. linux-modules-6.17.0-23-generic version '6.17.0-23.23' has the same source package name, linux, as removed package linux-modules-6.17.0-22-generic. As such we can use the source package version of the removed package, '6.17.0-22.22', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.17.0-22-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.17.0-22.22", "version": "6.17.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.17.0-22-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.17.0-22.22", "version": "6.17.0-22.22" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.10 questing image from release image serial 20260415 to 20260503", "from_series": "questing", "to_series": "questing", "from_serial": "20260415", "to_serial": "20260503", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }