{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-headers-5.4.0-1121-kvm", "linux-image-5.4.0-1121-kvm", "linux-kvm-headers-5.4.0-1121", "linux-modules-5.4.0-1121-kvm" ], "removed": [ "linux-headers-5.4.0-1120-kvm", "linux-image-5.4.0-1120-kvm", "linux-kvm-headers-5.4.0-1120", "linux-modules-5.4.0-1120-kvm" ], "diff": [ "apparmor", "curl", "libapparmor1", "libcurl4", "libpython3.8-minimal", "libpython3.8-stdlib", "linux-headers-kvm", "linux-image-kvm", "linux-kvm", "python3.8", "python3.8-minimal" ] } }, "diff": { "deb": [ { "name": "apparmor", "from_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.3build2", "version": "2.13.3-7ubuntu5.3build2" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.4", "version": "2.13.3-7ubuntu5.4" }, "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "launchpad_bugs_fixed": [ 1597017 ], "changes": [ { "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)", " - d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch:", " add calls to filter_slashes() in parser/af_unix.cc, make it external", " in parser/parser.h and change it to void in parser/parser_regex.c.", " - d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch:", " add variable expansion with expand_entry_variables() in", " parser/mount.cc.", " - d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch:", " add calls to filter_slashes() in parser/mount.cc.", " - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:", " update rule qualifiers in regression tests in", " tests/regression/apparmor/mkprofile.pl and", " tests/regression/apparmor/capabilities.sh.", " - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount", " rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h", " and fix multiple test cases in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount", " regression tests in tests/regression/apparmor/Makefile,", " tests/regression/apparmor/mount.c,", " tests/regression/apparmor/mount.sh and", " tests/regression/apparmor/mkprofile.pl.", " - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:", " add missing kernel mount options flag in parser/apparmor.d.pod,", " parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh", " and parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update", " test profiles in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:", " update gen_policy_change_mount_type() in parser/mount.cc and also", " updated tests on parser/tst/simple_tests/mount/* and", " tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:", " add device checks in gen_flag_rules() in parser/mount.cc and tests", " in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,", " tests/regression/apparmor/mount.sh and", " utils/test/test-parser-simple-tests.py.", " - d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch:", " remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc.", " - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:", " remove deprecation warning message in parser/mount.cc.", " - CVE-2016-1585", "" ], "package": "apparmor", "version": "2.13.3-7ubuntu5.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [ 1597017 ], "author": "Rodrigo Figueiredo Zaiden ", "date": "Tue, 06 Mar 2024 15:40:00 -0300" } ], "notes": null }, { "name": "curl", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.24", "version": "7.68.0-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 11:00:30 -0400" } ], "notes": null }, { "name": "libapparmor1", "from_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.3build2", "version": "2.13.3-7ubuntu5.3build2" }, "to_version": { "source_package_name": "apparmor", "source_package_version": "2.13.3-7ubuntu5.4", "version": "2.13.3-7ubuntu5.4" }, "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "launchpad_bugs_fixed": [ 1597017 ], "changes": [ { "cves": [ { "cve": "CVE-2016-1585", "url": "https://ubuntu.com/security/CVE-2016-1585", "cve_description": "In all versions of AppArmor mount rules are accidentally widened when compiled.", "cve_priority": "medium", "cve_public_date": "2019-04-22 16:29:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Excessive permissions with mount rules (LP: #1597017)", " - d/p/CVE-2016-1585/parser-Fix-expansion-of-variables-in-unix-rules-addr.patch:", " add calls to filter_slashes() in parser/af_unix.cc, make it external", " in parser/parser.h and change it to void in parser/parser_regex.c.", " - d/p/CVE-2016-1585/parser-enable-variable-expansion-for-mount-type-and-.patch:", " add variable expansion with expand_entry_variables() in", " parser/mount.cc.", " - d/p/CVE-2016-1585/parser-call-filter-slashes-for-mount-conditionals.patch:", " add calls to filter_slashes() in parser/mount.cc.", " - d/p/CVE-2016-1585/Support-rule-qualifiers-in-regression-tests.patch:", " update rule qualifiers in regression tests in", " tests/regression/apparmor/mkprofile.pl and", " tests/regression/apparmor/capabilities.sh.", " - d/p/CVE-2016-1585/Merge-Fix-mount-rules-encoding.patch: fix mount", " rules encoding in parser/mount.cc, parser/mount.h, parser/parser.h", " and fix multiple test cases in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-expand-mount-tests.patch: expand mount", " regression tests in tests/regression/apparmor/Makefile,", " tests/regression/apparmor/mount.c,", " tests/regression/apparmor/mount.sh and", " tests/regression/apparmor/mkprofile.pl.", " - d/p/CVE-2016-1585/Merge-Issue-312-added-missing-kernel-mount-options.patch:", " add missing kernel mount options flag in parser/apparmor.d.pod,", " parser/mount.cc, parser/mount.h, tests/regression/apparmor/mount.sh", " and parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-extend-test-profiles-for-mount.patch: update", " test profiles in parser/tst/simple_tests/mount/*.", " - d/p/CVE-2016-1585/Merge-parser-fix-parsing-of-source-as-mount-point-fo.patch:", " update gen_policy_change_mount_type() in parser/mount.cc and also", " updated tests on parser/tst/simple_tests/mount/* and", " tests/regression/apparmor/mount.sh.", " - d/p/CVE-2016-1585/parser-fix-rule-flag-generation-change_mount-type-ru.patch:", " add device checks in gen_flag_rules() in parser/mount.cc and tests", " in parser/tst/simple_tests/mount/*, parser/tst/equality.sh,", " tests/regression/apparmor/mount.sh and", " utils/test/test-parser-simple-tests.py.", " - d/p/CVE-2016-1585/Fix-build-failure-in-df4ed537e-allow-reading-of-etc-.patch:", " remove the WARN_DEPRECATED flag in pwarn call in parser/mount.cc.", " - d/p/CVE-2016-1585/parser-Deprecation-warning-should-not-have-been-back.patch:", " remove deprecation warning message in parser/mount.cc.", " - CVE-2016-1585", "" ], "package": "apparmor", "version": "2.13.3-7ubuntu5.4", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [ 1597017 ], "author": "Rodrigo Figueiredo Zaiden ", "date": "Tue, 06 Mar 2024 15:40:00 -0300" } ], "notes": null }, { "name": "libcurl4", "from_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.23", "version": "7.68.0-1ubuntu2.23" }, "to_version": { "source_package_name": "curl", "source_package_version": "7.68.0-1ubuntu2.24", "version": "7.68.0-1ubuntu2.24" }, "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-8096", "url": "https://ubuntu.com/security/CVE-2024-8096", "cve_description": "When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports another error than 'revoked' (like for example 'unauthorized') it is not treated as a bad certficate.", "cve_priority": "medium", "cve_public_date": "2024-09-11 10:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: OCSP stapling bypass with GnuTLS", " - debian/patches/CVE-2024-8096.patch: fix OCSP stapling management in", " lib/vtls/gtls.c.", " - CVE-2024-8096", "" ], "package": "curl", "version": "7.68.0-1ubuntu2.24", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 06 Sep 2024 11:00:30 -0400" } ], "notes": null }, { "name": "libpython3.8-minimal", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "libpython3.8-stdlib", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "linux-headers-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1120.116", "version": "5.4.0.1120.116" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1121.117", "version": "5.4.0.1121.117" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1121", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1121.117", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 30 Aug 2024 16:00:02 +0200" } ], "notes": null }, { "name": "linux-image-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1120.116", "version": "5.4.0.1120.116" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1121.117", "version": "5.4.0.1121.117" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1121", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1121.117", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 30 Aug 2024 16:00:02 +0200" } ], "notes": null }, { "name": "linux-kvm", "from_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1120.116", "version": "5.4.0.1120.116" }, "to_version": { "source_package_name": "linux-meta-kvm", "source_package_version": "5.4.0.1121.117", "version": "5.4.0.1121.117" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Bump ABI 5.4.0-1121", "" ], "package": "linux-meta-kvm", "version": "5.4.0.1121.117", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 30 Aug 2024 16:00:02 +0200" } ], "notes": null }, { "name": "python3.8", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null }, { "name": "python3.8-minimal", "from_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.11", "version": "3.8.10-0ubuntu1~20.04.11" }, "to_version": { "source_package_name": "python3.8", "source_package_version": "3.8.10-0ubuntu1~20.04.12", "version": "3.8.10-0ubuntu1~20.04.12" }, "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-27043", "url": "https://ubuntu.com/security/CVE-2023-27043", "cve_description": "The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.", "cve_priority": "medium", "cve_public_date": "2023-04-19 00:15:00 UTC" }, { "cve": "CVE-2024-6232", "url": "https://ubuntu.com/security/CVE-2024-6232", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "cve_priority": "medium", "cve_public_date": "2024-09-03 13:15:00 UTC" }, { "cve": "CVE-2024-6923", "url": "https://ubuntu.com/security/CVE-2024-6923", "cve_description": "There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.", "cve_priority": "medium", "cve_public_date": "2024-08-01 14:15:00 UTC" }, { "cve": "CVE-2024-7592", "url": "https://ubuntu.com/security/CVE-2024-7592", "cve_description": "There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.", "cve_priority": "low", "cve_public_date": "2024-08-19 19:15:00 UTC" }, { "cve": "CVE-2024-8088", "url": "https://ubuntu.com/security/CVE-2024-8088", "cve_description": "There is a HIGH severity vulnerability affecting the CPython \"zipfile\" module affecting \"zipfile.Path\". Note that the more common API \"zipfile.ZipFile\" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of \"zipfile.Path\" like \"namelist()\", \"iterdir()\", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.", "cve_priority": "medium", "cve_public_date": "2024-08-22 19:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect special character parsing in email module", " - debian/patches/CVE-2023-27043.patch: reject malformed addresses in", " Doc/library/email.utils.rst, Lib/email/utils.py,", " Lib/test/test_email/test_email.py.", " - CVE-2023-27043", " * SECURITY UPDATE: ReDoS via specifically-crafted tar archives", " - debian/patches/CVE-2024-6232.patch: remove backtracking when parsing", " tarfile headers in Lib/tarfile.py, Lib/test/test_tarfile.py.", " - CVE-2024-6232", " * SECURITY UPDATE: header injection via newlines in email module", " - debian/patches/CVE-2024-6923.patch: encode newlines in headers, and", " verify headers are sound in Doc/library/email.errors.rst,", " Doc/library/email.policy.rst, Lib/email/_header_value_parser.py,", " Lib/email/_policybase.py, Lib/email/errors.py,", " Lib/email/generator.py, Lib/test/test_email/test_generator.py,", " Lib/test/test_email/test_policy.py.", " - CVE-2024-6923", " * SECURITY UPDATE: resource consumption via cookie parsing", " - debian/patches/CVE-2024-7592.patch: fix quadratic complexity in", " parsing quoted cookie values with backslashes in Lib/http/cookies.py,", " Lib/test/test_http_cookies.py.", " - CVE-2024-7592", " * SECURITY UPDATE: infinite loop via crafted zip archive", " - debian/patches/CVE-2024-8088.patch: sanitize names in zipfile.Path in", " Lib/test/test_zipfile/_path/test_path.py,", " Lib/zipfile/_path/__init__.py.", " - CVE-2024-8088", "" ], "package": "python3.8", "version": "3.8.10-0ubuntu1~20.04.12", "urgency": "medium", "distributions": "focal-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 11 Sep 2024 12:02:53 -0400" } ], "notes": null } ], "snap": [] }, "added": { "deb": [ { "name": "linux-headers-5.4.0-1121-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2078195, 2078205 ], "changes": [ { "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1121.129 -proposed tracker (LP: #2078195)", "", " [ Ubuntu: 5.4.0-196.216 ]", "", " * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", " * CVE-2022-48791", " - scsi: pm80xx: Fix TMF task completion race condition", " - scsi: pm8001: Fix use-after-free for aborted TMF sas_task", " * CVE-2024-26787", " - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", " * CVE-2022-48863", " - mISDN: Fix memory leak in dsp_pipeline_build()", " * CVE-2021-47188", " - scsi: ufs: core: Improve SCSI abort handling", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux-kvm", "version": "5.4.0-1121.129", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2078195, 2078205 ], "author": "Manuel Diewald ", "date": "Fri, 30 Aug 2024 15:51:24 +0200" } ], "notes": "linux-headers-5.4.0-1121-kvm version '5.4.0-1121.129' (source package linux-kvm version '5.4.0-1121.129') was added. linux-headers-5.4.0-1121-kvm version '5.4.0-1121.129' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1120-kvm. As such we can use the source package version of the removed package, '5.4.0-1120.128', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-image-5.4.0-1121-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1120.128", "version": null }, "to_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 5.4.0-1121.129", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed-kvm", "version": "5.4.0-1121.129", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 30 Aug 2024 16:00:10 +0200" } ], "notes": "linux-image-5.4.0-1121-kvm version '5.4.0-1121.129' (source package linux-signed-kvm version '5.4.0-1121.129') was added. linux-image-5.4.0-1121-kvm version '5.4.0-1121.129' has the same source package name, linux-signed-kvm, as removed package linux-image-5.4.0-1120-kvm. As such we can use the source package version of the removed package, '5.4.0-1120.128', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-kvm-headers-5.4.0-1121", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2078195, 2078205 ], "changes": [ { "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1121.129 -proposed tracker (LP: #2078195)", "", " [ Ubuntu: 5.4.0-196.216 ]", "", " * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", " * CVE-2022-48791", " - scsi: pm80xx: Fix TMF task completion race condition", " - scsi: pm8001: Fix use-after-free for aborted TMF sas_task", " * CVE-2024-26787", " - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", " * CVE-2022-48863", " - mISDN: Fix memory leak in dsp_pipeline_build()", " * CVE-2021-47188", " - scsi: ufs: core: Improve SCSI abort handling", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux-kvm", "version": "5.4.0-1121.129", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2078195, 2078205 ], "author": "Manuel Diewald ", "date": "Fri, 30 Aug 2024 15:51:24 +0200" } ], "notes": "linux-kvm-headers-5.4.0-1121 version '5.4.0-1121.129' (source package linux-kvm version '5.4.0-1121.129') was added. linux-kvm-headers-5.4.0-1121 version '5.4.0-1121.129' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1120-kvm. As such we can use the source package version of the removed package, '5.4.0-1120.128', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." }, { "name": "linux-modules-5.4.0-1121-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": null }, "to_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1121.129", "version": "5.4.0-1121.129" }, "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2078195, 2078205 ], "changes": [ { "cves": [ { "cve": "CVE-2024-39494", "url": "https://ubuntu.com/security/CVE-2024-39494", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ima: Fix use-after-free on a dentry's dname.name ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, rename_lock), but none of those are met at any of the sites. Take a stable snapshot of the name instead.", "cve_priority": "medium", "cve_public_date": "2024-07-12 13:15:00 UTC" }, { "cve": "CVE-2024-42160", "url": "https://ubuntu.com/security/CVE-2024-42160", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: f2fs: check validation of fault attrs in f2fs_build_fault_attr() - It missed to check validation of fault attrs in parse_options(), let's fix to add check condition in f2fs_build_fault_attr(). - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2024-38570", "url": "https://ubuntu.com/security/CVE-2024-38570", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in that lockspace, DLM will unlock those locks automatically. Commit fb6791d100d1b started exploiting this behavior to speed up filesystem unmount: gfs2 would simply free glocks it didn't want to unlock and then release the lockspace. This didn't take the bast callbacks for asynchronous lock contention notifications into account, which remain active until until a lock is unlocked or its lockspace is released. To prevent those callbacks from accessing deallocated objects, put the glocks that should not be unlocked on the sd_dead_glocks list, release the lockspace, and only then free those glocks. As an additional measure, ignore unexpected ast and bast callbacks if the receiving glock is dead.", "cve_priority": "medium", "cve_public_date": "2024-06-19 14:15:00 UTC" }, { "cve": "CVE-2024-42228", "url": "https://ubuntu.com/security/CVE-2024-42228", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001. V2: To really improve the handling we would actually need to have a separate value of 0xffffffff.(Christian)", "cve_priority": "medium", "cve_public_date": "2024-07-30 08:15:00 UTC" }, { "cve": "CVE-2022-48791", "url": "https://ubuntu.com/security/CVE-2022-48791", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is available. Fix this by clearing the ccb->task if the TMF times out - the I/O completion handler does nothing if this pointer is cleared.", "cve_priority": "medium", "cve_public_date": "2024-07-16 12:15:00 UTC" }, { "cve": "CVE-2024-26787", "url": "https://ubuntu.com/security/CVE-2024-26787", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mmc: mmci: stm32: fix DMA API overlapping mappings warning Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning: DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST, overlapping mappings aren't supported WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568 add_dma_entry+0x234/0x2f4 Modules linked in: CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1 Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT) Workqueue: events_freezable mmc_rescan Call trace: add_dma_entry+0x234/0x2f4 debug_dma_map_sg+0x198/0x350 __dma_map_sg_attrs+0xa0/0x110 dma_map_sg_attrs+0x10/0x2c sdmmc_idma_prep_data+0x80/0xc0 mmci_prep_data+0x38/0x84 mmci_start_data+0x108/0x2dc mmci_request+0xe4/0x190 __mmc_start_request+0x68/0x140 mmc_start_request+0x94/0xc0 mmc_wait_for_req+0x70/0x100 mmc_send_tuning+0x108/0x1ac sdmmc_execute_tuning+0x14c/0x210 mmc_execute_tuning+0x48/0xec mmc_sd_init_uhs_card.part.0+0x208/0x464 mmc_sd_init_card+0x318/0x89c mmc_attach_sd+0xe4/0x180 mmc_rescan+0x244/0x320 DMA API debug brings to light leaking dma-mappings as dma_map_sg and dma_unmap_sg are not correctly balanced. If an error occurs in mmci_cmd_irq function, only mmci_dma_error function is called and as this API is not managed on stm32 variant, dma_unmap_sg is never called in this error path.", "cve_priority": "medium", "cve_public_date": "2024-04-04 09:15:00 UTC" }, { "cve": "CVE-2024-27012", "url": "https://ubuntu.com/security/CVE-2024-27012", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: restore set elements when delete set fails From abort path, nft_mapelem_activate() needs to restore refcounters to the original state. Currently, it uses the set->ops->walk() to iterate over these set elements. The existing set iterator skips inactive elements in the next generation, this does not work from the abort path to restore the original state since it has to skip active elements instead (not inactive ones). This patch moves the check for inactive elements to the set iterator callback, then it reverses the logic for the .activate case which needs to skip active elements. Toggle next generation bit for elements when delete set command is invoked and call nft_clear() from .activate (abort) path to restore the next generation bit. The splat below shows an object in mappings memleak: [43929.457523] ------------[ cut here ]------------ [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [...] [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246 [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000 [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550 [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0 [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002 [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0 [43929.458114] Call Trace: [43929.458118] [43929.458121] ? __warn+0x9f/0x1a0 [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458188] ? report_bug+0x1b1/0x1e0 [43929.458196] ? handle_bug+0x3c/0x70 [43929.458200] ? exc_invalid_op+0x17/0x40 [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables] [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables] [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables] [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables] [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables] [43929.458512] ? rb_insert_color+0x2e/0x280 [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables] [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables] [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables] [43929.458701] ? __rcu_read_unlock+0x46/0x70 [43929.458709] nft_delset+0xff/0x110 [nf_tables] [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables] [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]", "cve_priority": "medium", "cve_public_date": "2024-05-01 06:15:00 UTC" }, { "cve": "CVE-2022-48863", "url": "https://ubuntu.com/security/CVE-2022-48863", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix memory leak in dsp_pipeline_build() dsp_pipeline_build() allocates dup pointer by kstrdup(cfg), but then it updates dup variable by strsep(&dup, \"|\"). As a result when it calls kfree(dup), the dup variable contains NULL. Found by Linux Driver Verification project (linuxtesting.org) with SVACE.", "cve_priority": "medium", "cve_public_date": "2024-07-16 13:15:00 UTC" }, { "cve": "CVE-2021-47188", "url": "https://ubuntu.com/security/CVE-2021-47188", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Improve SCSI abort handling The following has been observed on a test setup: WARNING: CPU: 4 PID: 250 at drivers/scsi/ufs/ufshcd.c:2737 ufshcd_queuecommand+0x468/0x65c Call trace: ufshcd_queuecommand+0x468/0x65c scsi_send_eh_cmnd+0x224/0x6a0 scsi_eh_test_devices+0x248/0x418 scsi_eh_ready_devs+0xc34/0xe58 scsi_error_handler+0x204/0x80c kthread+0x150/0x1b4 ret_from_fork+0x10/0x30 That warning is triggered by the following statement: WARN_ON(lrbp->cmd); Fix this warning by clearing lrbp->cmd from the abort handler.", "cve_priority": "medium", "cve_public_date": "2024-04-10 19:15:00 UTC" }, { "cve": "CVE-2024-26677", "url": "https://ubuntu.com/security/CVE-2024-26677", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial number as they can't be used as an RTT reference.", "cve_priority": "medium", "cve_public_date": "2024-04-02 07:15:00 UTC" } ], "log": [ "", " * focal/linux-kvm: 5.4.0-1121.129 -proposed tracker (LP: #2078195)", "", " [ Ubuntu: 5.4.0-196.216 ]", "", " * focal/linux: 5.4.0-196.216 -proposed tracker (LP: #2078205)", " * CVE-2024-39494", " - ima: Fix use-after-free on a dentry's dname.name", " * CVE-2024-42160", " - f2fs: check validation of fault attrs in f2fs_build_fault_attr()", " - f2fs: Add inline to f2fs_build_fault_attr() stub", " * CVE-2024-38570", " - gfs2: Rename sd_{ glock => kill }_wait", " - gfs2: Fix potential glock use-after-free on unmount", " * CVE-2024-42228", " - drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc", " * CVE-2022-48791", " - scsi: pm80xx: Fix TMF task completion race condition", " - scsi: pm8001: Fix use-after-free for aborted TMF sas_task", " * CVE-2024-26787", " - mmc: mmci_sdmmc: Rename sdmmc_priv struct to sdmmc_idma", " - mmc: mmci: stm32: use a buffer for unaligned DMA requests", " - mmc: mmci: stm32: fix DMA API overlapping mappings warning", " * CVE-2024-27012", " - netfilter: nf_tables: restore set elements when delete set fails", " * CVE-2022-48863", " - mISDN: Fix memory leak in dsp_pipeline_build()", " * CVE-2021-47188", " - scsi: ufs: core: Improve SCSI abort handling", " * CVE-2024-26677", " - rxrpc: Fix delayed ACKs to not set the reference serial number", "" ], "package": "linux-kvm", "version": "5.4.0-1121.129", "urgency": "medium", "distributions": "focal", "launchpad_bugs_fixed": [ 2078195, 2078205 ], "author": "Manuel Diewald ", "date": "Fri, 30 Aug 2024 15:51:24 +0200" } ], "notes": "linux-modules-5.4.0-1121-kvm version '5.4.0-1121.129' (source package linux-kvm version '5.4.0-1121.129') was added. linux-modules-5.4.0-1121-kvm version '5.4.0-1121.129' has the same source package name, linux-kvm, as removed package linux-headers-5.4.0-1120-kvm. As such we can use the source package version of the removed package, '5.4.0-1120.128', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package." } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-headers-5.4.0-1120-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-image-5.4.0-1120-kvm", "from_version": { "source_package_name": "linux-signed-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-kvm-headers-5.4.0-1120", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null }, { "name": "linux-modules-5.4.0-1120-kvm", "from_version": { "source_package_name": "linux-kvm", "source_package_version": "5.4.0-1120.128", "version": "5.4.0-1120.128" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 20.04 focal image from daily image serial 20240913 to 20240917", "from_series": "focal", "to_series": "focal", "from_serial": "20240913", "to_serial": "20240917", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }