{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "openssh-client", "openssh-server", "openssh-sftp-server", "perl-base" ] } }, "diff": { "deb": [ { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3", "version": "1:9.9p1-3ubuntu3" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect DisableForwarding directive behaviour", " - debian/patches/CVE-2025-32728.patch: fix logic error in session.c.", " - CVE-2025-32728", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Apr 2025 07:33:19 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3", "version": "1:9.9p1-3ubuntu3" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect DisableForwarding directive behaviour", " - debian/patches/CVE-2025-32728.patch: fix logic error in session.c.", " - CVE-2025-32728", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Apr 2025 07:33:19 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3", "version": "1:9.9p1-3ubuntu3" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:9.9p1-3ubuntu3.1", "version": "1:9.9p1-3ubuntu3.1" }, "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-32728", "url": "https://ubuntu.com/security/CVE-2025-32728", "cve_description": "In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.", "cve_priority": "medium", "cve_public_date": "2025-04-10 02:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect DisableForwarding directive behaviour", " - debian/patches/CVE-2025-32728.patch: fix logic error in session.c.", " - CVE-2025-32728", "" ], "package": "openssh", "version": "1:9.9p1-3ubuntu3.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Fri, 11 Apr 2025 07:33:19 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "perl-base", "from_version": { "source_package_name": "perl", "source_package_version": "5.40.1-2", "version": "5.40.1-2" }, "to_version": { "source_package_name": "perl", "source_package_version": "5.40.1-2ubuntu0.1", "version": "5.40.1-2ubuntu0.1" }, "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2024-56406", "url": "https://ubuntu.com/security/CVE-2024-56406", "cve_description": "A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = \"\\x{FF}\" x 1000000; tr/\\xFF/\\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.", "cve_priority": "medium", "cve_public_date": "2025-04-13 14:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: heap overflow when transliterating non-ASCII bytes", " - debian/patches/CVE-2024-56406.patch: properly calculate needed space", " in op.c.", " - CVE-2024-56406", "" ], "package": "perl", "version": "5.40.1-2ubuntu0.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 14 Apr 2025 09:45:00 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.04 plucky image from daily image serial 20250415 to 20250426", "from_series": "plucky", "to_series": "plucky", "from_serial": "20250415", "to_serial": "20250426", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }