{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.14.0-37-generic", "linux-modules-6.14.0-37-generic" ], "removed": [ "linux-image-6.14.0-35-generic", "linux-modules-6.14.0-35-generic" ], "diff": [ "bsdutils", "fdisk", "gir1.2-glib-2.0", "gpgv", "libblkid1", "libfdisk1", "libglib2.0-0t64", "libmount1", "libnetplan1", "libpng16-16t64", "libpython3.13-minimal", "libpython3.13-stdlib", "libsmartcols1", "libuuid1", "linux-image-virtual", "login", "mount", "netplan-generator", "netplan.io", "python-apt-common", "python3-apt", "python3-netplan", "python3-urllib3", "python3.13", "python3.13-minimal", "snapd", "ubuntu-drivers-common", "ubuntu-pro-client", "util-linux" ] } }, "diff": { "deb": [ { "name": "bsdutils", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "1:2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "1:2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "fdisk", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "gir1.2-glib-2.0", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.84.1-1ubuntu0.1", "version": "2.84.1-1ubuntu0.1" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.84.1-1ubuntu0.2", "version": "2.84.1-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.84.1-1ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:28:39 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "gpgv", "from_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu23.1", "version": "2.4.4-2ubuntu23.1" }, "to_version": { "source_package_name": "gnupg2", "source_package_version": "2.4.4-2ubuntu23.2", "version": "2.4.4-2ubuntu23.2" }, "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-68973", "url": "https://ubuntu.com/security/CVE-2025-68973", "cve_description": "In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)", "cve_priority": "high", "cve_public_date": "2025-12-28 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Remote Code Execution", " - debian/patches/CVE-2025-68973.patch: gpg: Fix possible memory", " corruption in the armor parser.", " - CVE-2025-68973", "" ], "package": "gnupg2", "version": "2.4.4-2ubuntu23.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Mon, 05 Jan 2026 21:48:13 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libblkid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libfdisk1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libglib2.0-0t64", "from_version": { "source_package_name": "glib2.0", "source_package_version": "2.84.1-1ubuntu0.1", "version": "2.84.1-1ubuntu0.1" }, "to_version": { "source_package_name": "glib2.0", "source_package_version": "2.84.1-1ubuntu0.2", "version": "2.84.1-1ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-6052", "url": "https://ubuntu.com/security/CVE-2025-6052", "cve_description": "A flaw was found in how GLib’s GString manages memory when adding data to strings. If a string is already very large, combining it with more input can cause a hidden overflow in the size calculation. This makes the system think it has enough memory when it doesn’t. As a result, data may be written past the end of the allocated memory, leading to crashes or memory corruption.", "cve_priority": "low", "cve_public_date": "2025-06-13 16:15:00 UTC" }, { "cve": "CVE-2025-7039", "url": "https://ubuntu.com/security/CVE-2025-7039", "cve_description": "A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.", "cve_priority": "low", "cve_public_date": "2025-09-03 02:15:00 UTC" }, { "cve": "CVE-2025-13601", "url": "https://ubuntu.com/security/CVE-2025-13601", "cve_description": "A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.", "cve_priority": "medium", "cve_public_date": "2025-11-26 15:15:00 UTC" }, { "cve": "CVE-2025-14087", "url": "https://ubuntu.com/security/CVE-2025-14087", "cve_description": "A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.", "cve_priority": "medium", "cve_public_date": "2025-12-10 09:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: GString overflow", " - debian/patches/CVE-2025-6052.patch: fix overflow check when expanding", " the string in glib/gstring.c.", " - CVE-2025-6052", " * SECURITY UPDATE: integer overflow in temp file creation", " - debian/patches/CVE-2025-7039.patch: fix computation of temporary file", " name in glib/gfileutils.c.", " - CVE-2025-7039", " * SECURITY UPDATE: heap overflow in g_escape_uri_string()", " - debian/patches/CVE-2025-13601.patch: add overflow check in", " glib/gconvert.c.", " - CVE-2025-13601", " * SECURITY UPDATE: buffer underflow through glib/gvariant", " - debian/patches/CVE-2025-14087-1.patch: fix potential integer overflow", " parsing (byte)strings in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-2.patch: use size_t to count numbers of", " child elements in glib/gvariant-parser.c.", " - debian/patches/CVE-2025-14087-3.patch: convert error handling code to", " use size_t in glib/gvariant-parser.c.", " - CVE-2025-14087", " * SECURITY UPDATE: integer overflow in gfileattribute", " - debian/patches/gfileattribute-overflow.patch: add overflow check in", " gio/gfileattribute.c.", " - No CVE number", "" ], "package": "glib2.0", "version": "2.84.1-1ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Wed, 10 Dec 2025 10:28:39 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libmount1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libnetplan1", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.04.1", "version": "1.1.2-8ubuntu1~25.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Plucky", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.04.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 13:04:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpng16-16t64", "from_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.47-1.1", "version": "1.6.47-1.1" }, "to_version": { "source_package_name": "libpng1.6", "source_package_version": "1.6.47-1.1ubuntu0.1", "version": "1.6.47-1.1ubuntu0.1" }, "cves": [ { "cve": "CVE-2025-64505", "url": "https://ubuntu.com/security/CVE-2025-64505", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64506", "url": "https://ubuntu.com/security/CVE-2025-64506", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64720", "url": "https://ubuntu.com/security/CVE-2025-64720", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-65018", "url": "https://ubuntu.com/security/CVE-2025-65018", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-64505", "url": "https://ubuntu.com/security/CVE-2025-64505", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64506", "url": "https://ubuntu.com/security/CVE-2025-64506", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-64720", "url": "https://ubuntu.com/security/CVE-2025-64720", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" }, { "cve": "CVE-2025-65018", "url": "https://ubuntu.com/security/CVE-2025-65018", "cve_description": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.", "cve_priority": "medium", "cve_public_date": "2025-11-25 00:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: buffer overflow issue", " - debian/patches/CVE-2025-64505.patch: Fix a buffer overflow in", " png_do_quantize", " - debian/patches/CVE-2025-64506.patch: Fix a heap buffer overflow in", " png_write_image_8bit", " - debian/patches/CVE-2025-64720.patch: Fix a buffer overflow in", " png_init_read_transformations", " - debian/patches/CVE-2025-65018.patch: Fix a heap buffer overflow in", " png_image_finish_read", " - CVE-2025-64505", " - CVE-2025-64506", " - CVE-2025-64720", " - CVE-2025-65018", "" ], "package": "libpng1.6", "version": "1.6.47-1.1ubuntu0.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Nishit Majithia ", "date": "Tue, 09 Dec 2025 17:37:55 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.4", "version": "3.13.3-1ubuntu0.4" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 24 Nov 2025 17:23:35 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.13-stdlib", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.4", "version": "3.13.3-1ubuntu0.4" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 24 Nov 2025 17:23:35 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "libsmartcols1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "libuuid1", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-35.35", "version": "6.14.0-35.35" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-37.37", "version": "6.14.0-37.37" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-37.37", "" ], "package": "linux-meta", "version": "6.14.0-37.37", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:22:24 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-36.36", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/dkms-versions -- resync from main package", "" ], "package": "linux-meta", "version": "6.14.0-36.36", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Sat, 11 Oct 2025 02:22:28 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "login", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "1:4.16.0-2+really2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "1:4.16.0-2+really2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "mount", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan-generator", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.04.1", "version": "1.1.2-8ubuntu1~25.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Plucky", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.04.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 13:04:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "netplan.io", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.04.1", "version": "1.1.2-8ubuntu1~25.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Plucky", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.04.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 13:04:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python-apt-common", "from_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0", "version": "3.0.0" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0ubuntu0.25.04.1", "version": "3.0.0ubuntu0.25.04.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "3.0.0ubuntu0.25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:44:00 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apt", "from_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0", "version": "3.0.0" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0ubuntu0.25.04.1", "version": "3.0.0ubuntu0.25.04.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "3.0.0ubuntu0.25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:44:00 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-netplan", "from_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-2ubuntu1.1", "version": "1.1.2-2ubuntu1.1" }, "to_version": { "source_package_name": "netplan.io", "source_package_version": "1.1.2-8ubuntu1~25.04.1", "version": "1.1.2-8ubuntu1~25.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2127195 ], "changes": [ { "cves": [], "log": [ "", " * Backport netplan.io 1.1.2-8ubuntu1 (LP: #2127195)", " - Allows non standard OVS setups (e.g. OVS from snap)", " - Test improvements, especially for slower architectures such as riscv64", " - d/t/cloud-init.sh: Adopt for actually generated files instead of dummies", " - d/control: use dbus-daemon instead of dbus-x11 for build-time tests and", " suggests systemd-resolved", " * SRU compatibility", " - d/gbp.conf: Update for Plucky", "" ], "package": "netplan.io", "version": "1.1.2-8ubuntu1~25.04.1", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2127195 ], "author": "Lukas Märdian ", "date": "Tue, 25 Nov 2025 13:04:37 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-urllib3", "from_version": { "source_package_name": "python-urllib3", "source_package_version": "2.3.0-2ubuntu0.1", "version": "2.3.0-2ubuntu0.1" }, "to_version": { "source_package_name": "python-urllib3", "source_package_version": "2.3.0-2ubuntu0.2", "version": "2.3.0-2ubuntu0.2" }, "cves": [ { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" }, { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-66418", "url": "https://ubuntu.com/security/CVE-2025-66418", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.", "cve_priority": "medium", "cve_public_date": "2025-12-05 16:15:00 UTC" }, { "cve": "CVE-2025-66471", "url": "https://ubuntu.com/security/CVE-2025-66471", "cve_description": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). The library must read compressed data from the network and decompress it until the requested chunk size is met. Any resulting decompressed data that exceeds the requested amount is held in an internal buffer for the next read operation. The decompression logic could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This can result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data.", "cve_priority": "medium", "cve_public_date": "2025-12-05 17:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Denial of service due to unbounded decompression chain.", " - debian/patches/CVE-2025-66418.patch: Add max_decode_links limit and", " checks in src/urllib3/response.py. Add test in test/test_response.py.", " - CVE-2025-66418", " * SECURITY UPDATE: Denial of service due to decompression bomb.", " - debian/patches/CVE-2025-66471.patch: Fix decompression bomb in", " src/urllib3/response.py. Add tests in test/test_response.py.", " - debian/patches/CVE-2025-66471-post1.patch: Remove brotli version warning", " due to intrusive backport for brotli fixes and upstream version warning", " not being appropriate for distro backporting.", " - CVE-2025-66471", "" ], "package": "python-urllib3", "version": "2.3.0-2ubuntu0.2", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Wed, 10 Dec 2025 15:28:14 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.4", "version": "3.13.3-1ubuntu0.4" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 24 Nov 2025 17:23:35 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.13-minimal", "from_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.3", "version": "3.13.3-1ubuntu0.3" }, "to_version": { "source_package_name": "python3.13", "source_package_version": "3.13.3-1ubuntu0.4", "version": "3.13.3-1ubuntu0.4" }, "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-8291", "url": "https://ubuntu.com/security/CVE-2025-8291", "cve_description": "The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.", "cve_priority": "medium", "cve_public_date": "2025-10-07 18:16:00 UTC" }, { "cve": "CVE-2025-6075", "url": "https://ubuntu.com/security/CVE-2025-6075", "cve_description": "If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.", "cve_priority": "medium", "cve_public_date": "2025-10-31 17:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Possible payload obfuscation", " - debian/patches/CVE-2025-8291.patch: check consistency of", " the zip64 end of central dir record in Lib/zipfile.py,", " Lib/test/test_zipfile.py.", " - CVE-2025-8291", " * SECURITY UPDATE: Performance degradation", " - debian/patches/CVE-2025-6075.patch: fix quadratic complexity", " in os.path.expandvars() in Lib/ntpatch.py, Lib/posixpath.py,", " Lib/test/test_genericpatch.py, Lib/test/test_npath.py.", " - CVE-2025-6075", "" ], "package": "python3.13", "version": "3.13.3-1ubuntu0.4", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [], "author": "Hlib Korzhynskyy ", "date": "Mon, 24 Nov 2025 17:23:35 -0330" } ], "notes": null, "is_version_downgrade": false }, { "name": "snapd", "from_version": { "source_package_name": "snapd", "source_package_version": "2.72+ubuntu25.04", "version": "2.72+ubuntu25.04" }, "to_version": { "source_package_name": "snapd", "source_package_version": "2.73+ubuntu25.04", "version": "2.73+ubuntu25.04" }, "cves": [], "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766, 2118396, 2114923, 2112551, 2114779, 2112544, 2112332, 1952500, 1849346, 2098780, 2033883 ], "changes": [ { "cves": [], "log": [ "", " * New upstream release, LP: #2132084", " - FDE: do not save incomplete FDE state when resealing was skipped", " - FDE: warn of inconsistent primary or policy counter", " - Confdb: document confdb in snapctl help messages", " - Confdb: only confdb hooks wait if snaps are disabled", " - Confdb: relax confdb change conflict checks", " - Confdb: remove empty parent when removing last leaf", " - Confdb: support parsing field filters", " - Confdb: wrap confdb write values under \"values\" key", " - dm-verity for essential snaps: add new naming convention for", " verity files", " - dm-verity for essential snaps: add snap integrity discovery", " - dm-verity for essential snaps: fix verity salt calculation", " - Assertions: add hardware identity assertion", " - Assertions: add integrity stanza in snap resources revisions", " - Assertions: add request message assertion required for remote", " device management", " - Assertions: add response-message assertion for secure remote", " device management", " - Assertions: expose WithStackedBackstore in RODatabase", " - Packaging: cross-distro | install upstream NEWS file into relevant", " snapd package doc directory", " - Packaging: cross-distro | tweak how the blocks injecting", " $SNAP_MOUNT_DIR/bin are generated as required for openSUSE", " - Packaging: remove deprecated snap-gdb-shim and all references now", " that snap run --gdb is unsupported and replaced by --gdbserver", " - Preseed: call systemd-tmpfiles instead handle-writable-paths on", " uc26", " - Preseed: do not remove the /snap dir but rather all its contents", " during reset", " - snap-confine: attach name derived from security tag to BPF maps", " and programs", " - snap-confine: ensure permitted capabilities match expectation", " - snap-confine: fix cached snap-confine profile cleanup to report", " the correct error instead of masking backend setup failures", " - snap-confine: Improve validation of user controlled paths", " - snap-confine: tighten snap cgroup checks to ensure a snap cannot", " start another snap in the same cgroup, preventing incorrect", " device-filter installation", " - core-initrd: add 26.04 ubuntu-core-initramfs package", " - core-initrd: add missing order dependency for setting default", " system files", " - core-initrd: avoid scanning loop and mmc boot partitions as the", " boot disk won't be any of these", " - core-initrd: make cpio a Depends and remove from Build-Depends", " - core-initrd: start plymouth sooner and reload when gadget is", " available", " - Cross-distro: modify syscheck to account for differences in", " openSUSE 16.0+", " - Validation sets: use in-flight validation sets when calling", " 'snapctl install' from hook", " - Prompting: enable prompting for the camera interface", " - Prompting: remove polkit authentication when modifying/deleting", " prompting rules", " - LP: #2127189 Prompting: do not record notices for unchanged rules", " on snapd startup", " - AppArmor: add free and pidof to the template", " - AppArmor: adjust interfaces/profiles to cope with coreutils paths", " - Interfaces: add support for compatibility expressions", " - Interfaces: checkbox-support | complete overhaul", " - Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-", " driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-", " driver-libs", " - Interfaces: allow snaps on classic access to nvidia graphics", " libraries exported by *-driver-libs interfaces", " - Interfaces: fwupd | broaden access to /boot/efi/EFI", " - Interfaces: gsettings | set dconf-service as profile for", " ca.desrt.dconf.Writer", " - Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new", " interfaces", " - Interfaces: opengl | grant read/write permission to /run/nvidia-", " persistenced/socket", " - interfaces: ros-snapd-support | add access to /v2/changes/", " - Interfaces: system-observe | read access to btrfs/ext4/zfs", " filesystem information", " - Interfaces: system-trace | allow /sys/kernel/tracing/** rw", " - Interfaces: usb-gadget | add support for ffs mounts in attributes", " - Add autocompletion to run command", " - Introduce option for disallowing auto-connection of a specific", " interface", " - Only log errors for user service operations performed as a part of", " snap removal", " - Patch snap names in service requests for parallel installed snaps", " - Simplify traits for eMMC special partitions", " - Strip apparmor_parser from debug symbols shrinking snapd size by", " ~3MB", " - Fix InstallPathMany skipping refresh control", " - Fix waiting for GDB helper to stop before attaching gdbserver", " - Protect the per-snap tmp directory against being reaped by age", " - Prevent disabling base snaps to ensure dependent snaps can be", " removed", " - Modify API endpoint /v2/logs to reject n <= 0 (except for special", " case -1 meaning all)", " - Avoid potential deadlock when task is injected after the change", " was aborted", " - Avoid race between store download stream and cache cleanup", " executing in parallel when invoked by snap download task", " - LP: #1851490 Use \"current\" instead of revision number for icons", " - LP: #2121853 Add snapctl version command", " - LP: #2127214 Ensure no more than one partition on disk can match a", " gadget partition", " - LP: #2127244 snap-confine: update AppArmor profile to allow", " read/write to journal as workaround for snap-confine fd", " inheritance prevented by newer AppArmor", " - LP: #2127766 Add new tracing mechanism with independently running", " strace and shim synchronization", "" ], "package": "snapd", "version": "2.73+ubuntu25.04", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2132084, 2127189, 1851490, 2121853, 2127214, 2127244, 2127766 ], "author": "Ernest Lotter ", "date": "Fri, 21 Nov 2025 09:08:02 +0200" }, { "cves": [], "log": [ "", " * New upstream release, LP: #2118396", " - FDE: auto-repair when recovery key is used", " - FDE: revoke keys on shim update", " - FDE: revoke old TPM keys when dbx has been updated", " - FDE: do not reseal FDE hook keys every time", " - FDE: store keys in the kernel keyring when installing from initrd", " - FDE: allow disabled DMA on Core", " - FDE: snap-bootstrap: do not check for partition in scan-disk on", " CVM", " - FDE: support secboot preinstall check for 25.10+ hybrid installs", " via the /v2/system/{label} endpoint", " - FDE: support generating recovery key at install time via the", " /v2/systems/{label} endpoint", " - FDE: update passphrase quality check at install time via the", " /v2/systems/{label} endpoint", " - FDE: support replacing recovery key at runtime via the new", " /v2/system-volumes endpoint", " - FDE: support checking recovery keys at runtime via the /v2/system-", " volumes endpoint", " - FDE: support enumerating keyslots at runtime via the /v2/system-", " volumes endpoint", " - FDE: support changing passphrase at runtime via the /v2/system-", " volumes endpoint", " - FDE: support passphrase quality check at runtime via the", " /v2/system-volumes endpoint", " - FDE: update secboot to revision 3e181c8edf0f", " - Confdb: support lists and indexed paths on read and write", " - Confdb: alias references must be wrapped in brackets", " - Confdb: support indexed paths in confdb-schema assertion", " - Confdb: make API errors consistent with options", " - Confdb: fetch confdb-schema assertion on access", " - Confdb: prevent --previous from being used in read-side hooks", " - Components: fix snap command with multiple components", " - Components: set revision of seed components to x1", " - Components: unmount extra kernel-modules components mounts", " - AppArmor Prompting: add lifespan \"session\" for prompting rules", " - AppArmor Prompting: support restoring prompts after snapd restart", " - AppArmor Prompting: limit the extra information included in probed", " AppArmor features and system key", " - Notices: refactor notice state internals", " - SELinux: look for restorecon/matchpathcon at all known locations", " rather than current PATH", " - SELinux: update policy to allow watching cgroups (for RAA), and", " talking to user session agents (service mgmt/refresh)", " - Refresh App Awareness: Fix unexpected inotify file descriptor", " cleanup", " - snap-confine: workaround for glibc fchmodat() fallback and handle", " ENOSYS", " - snap-confine: add support for host policy for limiting users able", " to run snaps", " - LP: #2114923 Reject system key mismatch advise when not yet seeded", " - Use separate lanes for essential and non-essential snaps during", " seeding and allow non-essential installs to retry", " - Fix bug preventing remodel from core18 to core18 when snapd snap", " is unchanged", " - LP: #2112551 Make removal of last active revision of a snap equal", " to snap remove", " - LP: #2114779 Allow non-gpt in fallback mode to support RPi", " - Switch from using systemd LogNamespace to manually controlled", " journal quotas", " - Change snap command trace logging to only log the command names", " - Grant desktop-launch access to /v2/snaps", " - Update code for creating the snap journal stream", " - Switch from using core to snapd snap for snap debug connectivity", " - LP: #2112544 Fix offline remodel case where we switched to a", " channel without an actual refresh", " - LP: #2112332 Exclude snap/snapd/preseeding when generating preseed", " tarball", " - LP: #1952500 Fix snap command progress reporting", " - LP: #1849346 Interfaces: kerberos-tickets | add new interface", " - Interfaces: u2f | add support for Thetis Pro", " - Interfaces: u2f | add OneSpan device and fix older device", " - Interfaces: pipewire, audio-playback | support pipewire as system", " daemon", " - Interfaces: gpg-keys | allow access to GPG agent sockets", " - Interfaces: usb-gadget | add new interface", " - Interfaces: snap-fde-control, firmware-updater-support | add new", " interfaces to support FDE", " - Interfaces: timezone-control | extend to support timedatectl", " varlink", " - Interfaces: cpu-control | fix rules for accessing IRQ sysfs and", " procfs directories", " - Interfaces: microstack-support | allow SR-IOV attachments", " - Interfaces: modify AppArmor template to allow snaps to read their", " own systemd credentials", " - Interfaces: posix-mq | allow stat on /dev/mqueue", " - LP: #2098780 Interfaces: log-observe | add capability", " dac_read_search", " - Interfaces: block-devices | allow access to ZFS pools and datasets", " - LP: #2033883 Interfaces: block-devices | opt-in access to", " individual partitions", " - Interfaces: accel | add new interface to support accel kernel", " subsystem", " - Interfaces: shutdown | allow client to bind on its side of dbus", " socket", " - Interfaces: modify seccomp template to allow pwritev2", " - Interfaces: modify AppArmor template to allow reading", " /proc/sys/fs/nr_open", " - Packaging: drop snap.failure service for openSUSE", " - Packaging: add SELinux support for openSUSE", " - Packaging: disable optee when using nooptee build tag", " - Packaging: add support for static PIE builds in snapd.mk, drop", " pie.patch from openSUSE", " - Packaging: add libcap2-bin runtime dependency for ubuntu-16.04", " - Packaging: use snapd.mk for packaging on Fedora", " - Packaging: exclude .git directory", " - Packaging: fix DPKG_PARSECHANGELOG assignment", " - Packaging: fix building on Fedora with dpkg installed", "" ], "package": "snapd", "version": "2.71", "urgency": "medium", "distributions": "xenial", "launchpad_bugs_fixed": [ 2118396, 2114923, 2112551, 2114779, 2112544, 2112332, 1952500, 1849346, 2098780, 2033883 ], "author": "Ernest Lotter ", "date": "Fri, 25 Jul 2025 13:18:47 +0200" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-drivers-common", "from_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.10.2.1", "version": "1:0.10.2.1" }, "to_version": { "source_package_name": "ubuntu-drivers-common", "source_package_version": "1:0.10.2.2", "version": "1:0.10.2.2" }, "cves": [], "launchpad_bugs_fixed": [ 2125156 ], "changes": [ { "cves": [], "log": [ "", " [ Mitchell Augustin ]", " * Prevent coinstallation of conflicting Nvidia Drivers (LP: #2125156)", "", " [ Nick Rosbrook ]", " * debian/source/options: ignore .git to prevent git artifacts in upload", "" ], "package": "ubuntu-drivers-common", "version": "1:0.10.2.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2125156 ], "author": "Mitchell Augustin ", "date": "Fri, 03 Oct 2025 16:26:02 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "ubuntu-pro-client", "from_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "36ubuntu0~25.04", "version": "36ubuntu0~25.04" }, "to_version": { "source_package_name": "ubuntu-advantage-tools", "source_package_version": "37.1ubuntu0~25.04", "version": "37.1ubuntu0~25.04" }, "cves": [], "launchpad_bugs_fixed": [ 2129712, 2129712, 2123870, 2125453, 2107604 ], "changes": [ { "cves": [], "log": [ "", " * Backport 37.1ubuntu0 to plucky (LP: #2129712)", "" ], "package": "ubuntu-advantage-tools", "version": "37.1ubuntu0~25.04", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2129712 ], "author": "Renan Rodrigo ", "date": "Mon, 27 Oct 2025 09:42:17 -0300" }, { "cves": [], "log": [ "", " * do-release-upgrade: immediately release the APT lock acquired to run the", " post-upgrade hook (LP: #2129712)", "" ], "package": "ubuntu-advantage-tools", "version": "37.1ubuntu0", "urgency": "medium", "distributions": "resolute", "launchpad_bugs_fixed": [ 2129712 ], "author": "Renan Rodrigo ", "date": "Thu, 23 Oct 2025 16:30:36 -0300" }, { "cves": [], "log": [ "", " * d/apparmor/ubuntu_pro_[apt_news|esm_cache].jinja2: update coreutils path", " Thanks to Georgia Garcia (LP: #2123870)", " * New upstream release 37: (LP: #2125453)", " - attach: don't show a notice if attaching a one-time token set for a", " future release (GH: #3485)", " - enable: add the --auto option to enable all default services based on", " the contract", " - entitlements:", " + add esm-infra-legacy support", " + add esm-apps-legacy support", " - fips: show correct kernel versions when downgrading on clouds (GH: #3488)", " - upgrade-lts-contract: (LP: #2107604)", " + remove implicit dependency on lsof", " + fix the logic to hold the apt lock while performing operations", "" ], "package": "ubuntu-advantage-tools", "version": "37ubuntu0", "urgency": "medium", "distributions": "questing", "launchpad_bugs_fixed": [ 2123870, 2125453, 2107604 ], "author": "Renan Rodrigo ", "date": "Mon, 22 Sep 2025 21:51:46 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "util-linux", "from_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.1", "version": "2.40.2-14ubuntu1.1" }, "to_version": { "source_package_name": "util-linux", "source_package_version": "2.40.2-14ubuntu1.2", "version": "2.40.2-14ubuntu1.2" }, "cves": [], "launchpad_bugs_fixed": [ 2123886 ], "changes": [ { "cves": [], "log": [ "", " * Add ARM core support for Vera systems (LP: #2123886)", " - d/p/ubuntu/lp-2123886-add-missing-arm-cores.patch", "" ], "package": "util-linux", "version": "2.40.2-14ubuntu1.2", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2123886 ], "author": "Zachary Raines ", "date": "Wed, 17 Sep 2025 18:10:16 +0000" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.14.0-37-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-35.35", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-37.37", "version": "6.14.0-37.37" }, "cves": [], "launchpad_bugs_fixed": [ 1786013, 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-37.37", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-37.37", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:22:34 +0100" }, { "cves": [], "log": [ "", " * Main version: 6.14.0-36.36", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-36.36", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Edoardo Canepa ", "date": "Sat, 11 Oct 2025 02:22:45 +0200" } ], "notes": "linux-image-6.14.0-37-generic version '6.14.0-37.37' (source package linux-signed version '6.14.0-37.37') was added. linux-image-6.14.0-37-generic version '6.14.0-37.37' has the same source package name, linux-signed, as removed package linux-image-6.14.0-35-generic. As such we can use the source package version of the removed package, '6.14.0-35.35', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-37-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-35.35", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.14.0-37.37", "version": "6.14.0-37.37" }, "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-39946", "url": "https://ubuntu.com/security/CVE-2025-39946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.", "cve_priority": "medium", "cve_public_date": "2025-10-04 08:15:00 UTC" }, { "cve": "CVE-2025-38660", "url": "https://ubuntu.com/security/CVE-2025-38660", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: [ceph] parse_longname(): strrchr() expects NUL-terminated string ... and parse_longname() is not guaranteed that. That's the reason why it uses kmemdup_nul() to build the argument for kstrtou64(); the problem is, kstrtou64() is not the only thing that need it. Just get a NUL-terminated copy of the entire thing and be done with that...", "cve_priority": "medium", "cve_public_date": "2025-08-22 16:15:00 UTC" }, { "cve": "CVE-2024-50047", "url": "https://ubuntu.com/security/CVE-2024-50047", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation.", "cve_priority": "high", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2025-38678", "url": "https://ubuntu.com/security/CVE-2025-38678", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject duplicate device on updates A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device. Check if a duplicated device exists in the transaction batch, bail out with EEXIST in such case. WARNING is hit when unregistering the hook: [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) [...] [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150", "cve_priority": "medium", "cve_public_date": "2025-09-03 13:15:00 UTC" }, { "cve": "CVE-2025-38616", "url": "https://ubuntu.com/security/CVE-2025-38616", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2131513, 2115860, 2131046, 2130552, 2121997, 2127676, 2127650, 1786013, 2122379, 2121866, 2119738, 2121337, 2114963, 2119713, 2119479, 2126659, 2123901, 2125444, 2125471, 2103680, 2125053, 2122435, 2122397, 2126463, 2126463, 2125820, 2123805, 2123805, 2123745, 2124105, 2124105 ], "changes": [ { "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-39946", "url": "https://ubuntu.com/security/CVE-2025-39946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.", "cve_priority": "medium", "cve_public_date": "2025-10-04 08:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-37.37 -proposed tracker (LP: #2131513)", "", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", "", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", "", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", "", " * kernel: sysfs: cannot create duplicate filename", " '/bus/platform/devices/iTCO_wdt' (LP: #2121997)", " - i2c: i801: Hide Intel Birch Stream SoC TCO WDT", "", " * Fix incorrect bug number for CONFIG_KERNEL_ZSTD (LP: #2127676)", " - [Config] Fix bug note for CONFIG_KERNEL_ZSTD", "", " * CVE-2025-39993", " - media: rc: fix races with imon_disconnect()", "", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "", " * CVE-2025-39964", " - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg", " - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx", "", " * CVE-2025-39946", " - tls: make sure to abort the stream if headers are bogus", "" ], "package": "linux", "version": "6.14.0-37.37", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2131513, 2115860, 2131046, 2130552, 2121997, 2127676 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 17:52:55 +0100" }, { "cves": [ { "cve": "CVE-2025-38660", "url": "https://ubuntu.com/security/CVE-2025-38660", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: [ceph] parse_longname(): strrchr() expects NUL-terminated string ... and parse_longname() is not guaranteed that. That's the reason why it uses kmemdup_nul() to build the argument for kstrtou64(); the problem is, kstrtou64() is not the only thing that need it. Just get a NUL-terminated copy of the entire thing and be done with that...", "cve_priority": "medium", "cve_public_date": "2025-08-22 16:15:00 UTC" }, { "cve": "CVE-2024-50047", "url": "https://ubuntu.com/security/CVE-2024-50047", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation.", "cve_priority": "high", "cve_public_date": "2024-10-21 20:15:00 UTC" }, { "cve": "CVE-2025-38678", "url": "https://ubuntu.com/security/CVE-2025-38678", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject duplicate device on updates A chain/flowtable update with duplicated devices in the same batch is possible. Unfortunately, netdev event path only removes the first device that is found, leaving unregistered the hook of the duplicated device. Check if a duplicated device exists in the transaction batch, bail out with EEXIST in such case. WARNING is hit when unregistering the hook: [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150 [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S 6.16.0+ #170 PREEMPT(full) [...] [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150", "cve_priority": "medium", "cve_public_date": "2025-09-03 13:15:00 UTC" }, { "cve": "CVE-2025-38616", "url": "https://ubuntu.com/security/CVE-2025-38616", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place.", "cve_priority": "medium", "cve_public_date": "2025-08-22 14:15:00 UTC" }, { "cve": "CVE-2025-40300", "url": "https://ubuntu.com/security/CVE-2025-40300", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: x86/vmscape: Add conditional IBPB mitigation VMSCAPE is a vulnerability that exploits insufficient branch predictor isolation between a guest and a userspace hypervisor (like QEMU). Existing mitigations already protect kernel/KVM from a malicious guest. Userspace can additionally be protected by flushing the branch predictors after a VMexit. Since it is the userspace that consumes the poisoned branch predictors, conditionally issue an IBPB after a VMexit and before returning to userspace. Workloads that frequently switch between hypervisor and userspace will incur the most overhead from the new IBPB. This new IBPB is not integrated with the existing IBPB sites. For instance, a task can use the existing speculation control prctl() to get an IBPB at context switch time. With this implementation, the IBPB is doubled up: one at context switch and another before running userspace. The intent is to integrate and optimize these cases post-embargo. [ dhansen: elaborate on suboptimal IBPB solution ]", "cve_priority": "high", "cve_public_date": "2025-09-11 17:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-36.36 -proposed tracker (LP: #2127650)", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian.master/dkms-versions -- update from kernel-versions", " (main/2025.10.13)", "", " * [SRU] Add support of cs42l43 and cs35l56 on ThinkPad P1 and P16", " (LP: #2122379)", " - ASoC: Intel: sof_sdw: Add quirks for Lenovo P1 and P16", "", " * ubuntu_kselftests_net:nl_netdev.py regression plucky nsim_queue_stop", " [netdevsim] (LP: #2121866)", " - net: devmem: don't call queue stop / start when the interface is down", "", " * [SRU] Fix kernel crash in intel-thc driver (LP: #2119738)", " - HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length", " - HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C", " regs save", "", " * Enable Xilinx PS UART configs (LP: #2121337)", " - [Config] Enable Xilinx PS UART configs", "", " * [SRU] Do not instantiate SPD5118 sensors on i801 SMBus controllers", " (LP: #2114963)", " - i2c: smbus: introduce Write Disable-aware SPD instantiating functions", " - SAUCE: i2c: i801: Do not instantiate spd5118 under SPD Write Disable", "", " * UBSAN: shift-out-of-bounds in drivers/edac/skx_common.c:452:16", " (LP: #2119713)", " - EDAC/i10nm: Skip DIMM enumeration on a disabled memory controller", "", " * [SRU][Q/P/N:hwe-6.14] mt7925: Add MBSS support (LP: #2119479)", " - wifi: mt76: mt7925: add MBSSID support", "", " * Add pvpanic kernel modules to linux-modules (LP: #2126659)", " - [Packaging] Add pvpanic kernel modules to linux-modules", "", " * r8169 can not wake on LAN via SFP moudule (LP: #2123901)", " - r8169: set EEE speed down ratio to 1", "", " * ensure mptcp keepalives are honored when set (LP: #2125444)", " - mptcp: sockopt: make sync_socket_options propagate SOCK_KEEPOPEN", "", " * [SRU] Re-enable common modes for eDP on AMDGPU (LP: #2125471)", " - drm/amd/display: Use scaling for non-native resolutions on eDP", "", " * System hangs when running the memory stress test (LP: #2103680)", " - mm: page_alloc: avoid kswapd thrashing due to NUMA restrictions", "", " * UBUNTU: fan: fail to check kmalloc() return could cause a NULL pointer", " dereference (LP: #2125053)", " - SAUCE: fan: vxlan: check memory allocation for map", "", " * drm/xe: support power limits (LP: #2122435)", " - drm/xe/hwmon: expose fan speed", " - drm/xe/hwmon: Add support to manage power limits though mailbox", " - drm/xe/hwmon: Move card reactive critical power under channel card", " - drm/xe/hwmon: Add support to manage PL2 though mailbox", " - drm/xe/hwmon: Expose powerX_cap_interval", " - drm/xe/hwmon: Read energy status from PMT", " - drm/xe/hwmon: Expose power sysfs entries based on firmware support", " - drm/xe/hwmon: Fix xe_hwmon_power_max_write", "", " * A few HP laptops are failing to respond during test runs after upgrading", " to the 6.14.0-1012-oem kernel. (LP: #2122397)", " - wifi: ath12k: eliminate redundant debug mask check in ath12k_dbg()", " - wifi: ath12k: introduce ath12k_generic_dbg()", " - wifi: ath12k: remove redundant vif settings during link interface", " creation", " - wifi: ath12k: remove redundant logic for initializing arvif", " - wifi: ath12k: relocate a few functions in mac.c", " - wifi: ath12k: allocate new links in change_vif_links()", " - wifi: ath12k: handle link removal in change_vif_links()", "", " * Plucky update: upstream stable patchset 2025-09-30 (LP: #2126463)", " - ASoC: amd: yc: Add DMI quirk for HP Laptop 17 cp-2033dx", " - ethernet: intel: fix building with large NR_CPUS", " - ASoC: amd: yc: Add DMI entries to support HP 15-fb1xxx", " - ALSA: hda/cs35l56: Workaround bad dev-index on Lenovo Yoga Book 9i GenX", " - ASoC: Intel: fix SND_SOC_SOF dependencies", " - ASoC: amd: yc: add DMI quirk for ASUS M6501RM", " - audit,module: restore audit logging in load failure case", " - fs_context: fix parameter name in infofc() macro", " - fs/ntfs3: cancle set bad inode after removing name fails", " - ublk: use vmalloc for ublk_device's __queues", " - hfsplus: make splice write available again", " - hfs: make splice write available again", " - hfsplus: remove mutex_lock check in hfsplus_free_extents", " - Revert \"fs/ntfs3: Replace inode_trylock with inode_lock\"", " - gfs2: No more self recovery", " - io_uring: fix breakage in EXPERT menu", " - ASoC: soc-dai: tidyup return value of snd_soc_xlate_tdm_slot_mask()", " - ASoC: ops: dynamically allocate struct snd_ctl_elem_value", " - ASoC: mediatek: use reserved memory or enable buffer pre-allocation", " - arm64: dts: freescale: imx93-tqma9352: Limit BUCK2 to 600mV", " - selftests: Fix errno checking in syscall_user_dispatch test", " - soc: qcom: QMI encoding/decoding for big endian", " - arm64: dts: qcom: sdm845: Expand IMEM region", " - arm64: dts: qcom: sc7180: Expand IMEM region", " - arm64: dts: exynos: gs101: Add 'local-timer-stop' to cpuidle nodes", " - arm64: dts: qcom: sa8775p: Correct the interrupt for remoteproc", " - arm64: dts: qcom: msm8976: Make blsp_dma controlled-remotely", " - ARM: dts: vfxxx: Correctly use two tuples for timer address", " - usb: host: xhci-plat: fix incorrect type for of_match variable in", " xhci_plat_probe()", " - usb: misc: apple-mfi-fastcharge: Make power supply names unique", " - arm64: dts: ti: k3-am642-phyboard-electra: Fix PRU-ICSSG Ethernet ports", " - arm64: dts: ti: k3-am62p-j722s: fix pinctrl-single size", " - cpufreq: armada-8k: make both cpu masks static", " - firmware: arm_scmi: Fix up turbo frequencies selection", " - usb: typec: ucsi: yoga-c630: fix error and remove paths", " - mei: vsc: Destroy mutex after freeing the IRQ", " - mei: vsc: Event notifier fixes", " - mei: vsc: Unset the event callback on remove and probe errors", " - spi: stm32: Check for cfg availability in stm32_spi_probe", " - staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()", " - vmci: Prevent the dispatching of uninitialized payloads", " - pps: fix poll support", " - selftests: vDSO: chacha: Correctly skip test if necessary", " - Revert \"vmci: Prevent the dispatching of uninitialized payloads\"", " - powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw()", " - usb: early: xhci-dbc: Fix early_ioremap leak", " - arm: dts: ti: omap: Fixup pinheader typo", " - soc/tegra: cbb: Clear ERR_FORCE register with ERR_STATUS", " - arm64: dts: st: fix timer used for ticks", " - selftests: breakpoints: use suspend_stats to reliably check suspend", " success", " - ARM: dts: imx6ul-kontron-bl-common: Fix RTS polarity for RS485 interface", " - arm64: dts: imx8mm-beacon: Fix HS400 USDHC clock speed", " - arm64: dts: imx8mn-beacon: Fix HS400 USDHC clock speed", " - PM / devfreq: Check governor before using governor->name", " - PM / devfreq: Fix a index typo in trans_stat", " - cpufreq: intel_pstate: Always use HWP_DESIRED_PERF in passive mode", " - cpufreq: Initialize cpufreq-based frequency-invariance later", " - cpufreq: Init policy->rwsem before it may be possibly used", " - staging: greybus: gbphy: fix up const issue with the match callback", " - samples: mei: Fix building on musl libc", " - soc: qcom: pmic_glink: fix OF node leak", " - interconnect: qcom: sc8280xp: specify num_links for qnm_a1noc_cfg", " - interconnect: qcom: sc8180x: specify num_nodes", " - bus: mhi: host: pci_generic: Fix the modem name of Foxconn T99W640", " - staging: nvec: Fix incorrect null termination of battery manufacturer", " - selftests/tracing: Fix false failure of subsystem event test", " - drm/rockchip: cleanup fb when drm_gem_fb_afbc_init failed", " - drm/panfrost: Fix panfrost device variable name in devfreq", " - drm/panthor: Add missing explicit padding in drm_panthor_gpu_info", " - bpf, sockmap: Fix psock incorrectly pointing to sk", " - bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls", " - selftests/bpf: fix signedness bug in redir_partial()", " - selftests/bpf: Fix unintentional switch case fall through", " - net: ipv6: ip6mr: Fix in/out netdev to pass to the FORWARD chain", " - drm/vmwgfx: Fix Host-Backed userspace on Guest-Backed kernel", " - drm/amdgpu: Remove nbiov7.9 replay count reporting", " - bpftool: Fix memory leak in dump_xx_nlmsg on realloc failure", " - caif: reduce stack size, again", " - wifi: rtw89: avoid NULL dereference when RX problematic packet on", " unsupported 6 GHz band", " - wifi: rtl818x: Kill URBs before clearing tx status queue", " - wifi: iwlwifi: Fix memory leak in iwl_mvm_init()", " - iwlwifi: Add missing check for alloc_ordered_workqueue", " - wifi: ath11k: clear initialized flag for deinit-ed srng lists", " - tcp: fix tcp_ofo_queue() to avoid including too much DUP SACK range", " - net/mlx5: Check device memory pointer before usage", " - net: dst: annotate data-races around dst->input", " - net: dst: annotate data-races around dst->output", " - kselftest/arm64: Fix check for setting new VLs in sve-ptrace", " - bpf: Ensure RCU lock is held around bpf_prog_ksym_find", " - drm/msm/dpu: Fill in min_prefill_lines for SC8180X", " - m68k: Don't unregister boot console needlessly", " - refscale: Check that nreaders and loops multiplication doesn't overflow", " - drm/amd/pm/powerplay/hwmgr/smu_helper: fix order of mask and value", " - sched/psi: Optimize psi_group_change() cpu_clock() usage", " - fbcon: Fix outdated registered_fb reference in comment", " - netfilter: nf_tables: Drop dead code from fill_*_info routines", " - netfilter: nf_tables: adjust lockdep assertions handling", " - arch: powerpc: defconfig: Drop obsolete CONFIG_NET_CLS_TCINDEX", " - um: rtc: Avoid shadowing err in uml_rtc_start()", " - iommu/amd: Enable PASID and ATS capabilities in the correct order", " - net/sched: Restrict conditions for adding duplicating netems to qdisc", " tree", " - net_sched: act_ctinfo: use atomic64_t for three counters", " - RDMA/mlx5: Fix UMR modifying of mkey page size", " - xen: fix UAF in dmabuf_exp_from_pages()", " - xen/gntdev: remove struct gntdev_copy_batch from stack", " - tcp: call tcp_measure_rcv_mss() for ooo packets", " - wifi: rtl8xxxu: Fix RX skb size for aggregation disabled", " - wifi: rtw88: Fix macid assigned to TDLS station", " - mwl8k: Add missing check after DMA map", " - wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()", " - drm/amdgpu/gfx9: fix kiq locking in KCQ reset", " - drm/amdgpu/gfx9.4.3: fix kiq locking in KCQ reset", " - drm/amdgpu/gfx10: fix kiq locking in KCQ reset", " - iommu/amd: Fix geometry.aperture_end for V2 tables", " - rcu: Fix delayed execution of hurry callbacks", " - wifi: mac80211: reject TDLS operations when station is not associated", " - wifi: plfxlc: Fix error handling in usb driver probe", " - wifi: mac80211: Do not schedule stopped TXQs", " - wifi: mac80211: Don't call fq_flow_idx() for management frames", " - wifi: mac80211: Check 802.11 encaps offloading in", " ieee80211_tx_h_select_key()", " - Reapply \"wifi: mac80211: Update skb's control block key in", " ieee80211_tx_dequeue()\"", " - wifi: ath12k: fix endianness handling while accessing wmi service bit", " - wifi: brcmfmac: fix P2P discovery failure in P2P peer due to missing P2P", " IE", " - wifi: mac80211: Write cnt before copying in ieee80211_copy_rnr_beacon()", " - wifi: nl80211: Set num_sub_specs before looping through sub_specs", " - ring-buffer: Remove ring_buffer_read_prepare_sync()", " - kcsan: test: Initialize dummy variable", " - memcg_slabinfo: Fix use of PG_slab", " - Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'", " - Bluetooth: hci_event: Mask data status from LE ext adv reports", " - bpf: Disable migration in nf_hook_run_bpf().", " - tools/rv: Do not skip idle in trace", " - selftests: drv-net: Fix remote command checking in require_cmd()", " - can: peak_usb: fix USB FD devices potential malfunction", " - can: kvaser_pciefd: Store device channel index", " - can: kvaser_usb: Assign netdev.dev_port based on device channel index", " - netfilter: xt_nfacct: don't assume acct name is null-terminated", " - net/mlx5e: Clear Read-Only port buffer size in PBMC before update", " - net/mlx5e: Remove skb secpath if xfrm state is not found", " - net: dsa: microchip: Fix wrong rx drop MIB counter for KSZ8863", " - stmmac: xsk: fix negative overflow of budget in zerocopy mode", " - selftests: rtnetlink.sh: remove esp4_offload after test", " - vrf: Drop existing dst reference in vrf_ip6_input_dst", " - ipv6: prevent infinite loop in rt6_nlmsg_size()", " - ipv6: fix possible infinite loop in fib6_info_uses_dev()", " - ipv6: annotate data-races around rt->fib6_nsiblings", " - bpf/preload: Don't select USERMODE_DRIVER", " - bpf, arm64: Fix fp initialization for exception boundary", " - staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()", " - fortify: Fix incorrect reporting of read buffer size", " - PCI: rockchip-host: Fix \"Unexpected Completion\" log message", " - clk: renesas: rzv2h: Fix missing CLK_SET_RATE_PARENT flag for ddiv", " clocks", " - crypto: sun8i-ce - fix nents passed to dma_unmap_sg()", " - crypto: qat - use unmanaged allocation for dc_data", " - crypto: marvell/cesa - Fix engine load inaccuracy", " - crypto: qat - allow enabling VFs in the absence of IOMMU", " - crypto: qat - fix state restore for banks with exceptions", " - mtd: fix possible integer overflow in erase_xfer()", " - clk: davinci: Add NULL check in davinci_lpsc_clk_register()", " - media: v4l2-ctrls: Fix H264 SEPARATE_COLOUR_PLANE check", " - clk: xilinx: vcu: unregister pll_post only if registered correctly", " - power: supply: cpcap-charger: Fix null check for", " power_supply_get_by_name", " - power: supply: max14577: Handle NULL pdata when CONFIG_OF is not set", " - crypto: arm/aes-neonbs - work around gcc-15 warning", " - PCI: endpoint: pci-epf-vntb: Return -ENOENT if", " pci_epc_get_next_free_bar() fails", " - pinctrl: sunxi: Fix memory leak on krealloc failure", " - pinctrl: berlin: fix memory leak in berlin_pinctrl_build_state()", " - dmaengine: mmp: Fix again Wvoid-pointer-to-enum-cast warning", " - phy: qualcomm: phy-qcom-eusb2-repeater: Don't zero-out registers", " - fanotify: sanitize handle_type values when reporting fid", " - clk: clk-axi-clkgen: fix fpfd_max frequency for zynq", " - Fix dma_unmap_sg() nents value", " - perf tools: Fix use-after-free in help_unknown_cmd()", " - perf dso: Add missed dso__put to dso__load_kcore", " - mtd: spi-nor: spansion: Fixup params->set_4byte_addr_mode for SEMPER", " - perf sched: Make sure it frees the usage string", " - perf sched: Free thread->priv using priv_destructor", " - perf sched: Fix memory leaks in 'perf sched map'", " - perf sched: Fix memory leaks for evsel->priv in timehist", " - perf sched: Use RC_CHK_EQUAL() to compare pointers", " - perf sched: Fix memory leaks in 'perf sched latency'", " - RDMA/hns: Fix double destruction of rsv_qp", " - RDMA/hns: Fix HW configurations not cleared in error flow", " - crypto: ccp - Fix locking on alloc failure handling", " - crypto: inside-secure - Fix `dma_unmap_sg()` nents value", " - crypto: ccp - Fix crash when rebind ccp device for ccp.ko", " - RDMA/hns: Get message length of ack_req from FW", " - RDMA/hns: Fix accessing uninitialized resources", " - RDMA/hns: Drop GFP_NOWARN", " - RDMA/hns: Fix -Wframe-larger-than issue", " - kernel: trace: preemptirq_delay_test: use offstack cpu mask", " - proc: use the same treatment to check proc_lseek as ones for", " proc_read_iter et.al", " - pinmux: fix race causing mux_owner NULL with active mux_usecount", " - perf tests bp_account: Fix leaked file descriptor", " - RDMA/mana_ib: Fix DSCP value in modify QP", " - clk: thead: th1520-ap: Correctly refer the parent of osc_12m", " - clk: sunxi-ng: v3s: Fix de clock definition", " - scsi: ibmvscsi_tgt: Fix dma_unmap_sg() nents value", " - scsi: elx: efct: Fix dma_unmap_sg() nents value", " - scsi: mvsas: Fix dma_unmap_sg() nents value", " - scsi: isci: Fix dma_unmap_sg() nents value", " - watchdog: ziirave_wdt: check record length in ziirave_firm_verify()", " - ext4: Make sure BH_New bit is cleared in ->write_end handler", " - clk: at91: sam9x7: update pll clk ranges", " - hwrng: mtk - handle devm_pm_runtime_enable errors", " - crypto: keembay - Fix dma_unmap_sg() nents value", " - crypto: img-hash - Fix dma_unmap_sg() nents value", " - crypto: qat - disable ZUC-256 capability for QAT GEN5", " - soundwire: stream: restore params when prepare ports fail", " - PCI: endpoint: pci-epf-vntb: Fix the incorrect usage of __iomem", " attribute", " - clk: imx95-blk-ctl: Fix synchronous abort", " - remoteproc: xlnx: Disable unsupported features", " - fs/orangefs: Allow 2 more characters in do_c_string()", " - dmaengine: mv_xor: Fix missing check after DMA map and missing unmap", " - dmaengine: nbpfaxi: Add missing check after DMA map", " - ASoC: fsl_xcvr: get channel status data when PHY is not exists", " - sh: Do not use hyphen in exported variable name", " - perf tools: Remove libtraceevent in .gitignore", " - crypto: qat - fix DMA direction for compression on GEN2 devices", " - crypto: qat - fix seq_file position update in adf_ring_next()", " - fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref", " - jfs: fix metapage reference count leak in dbAllocCtl", " - mtd: rawnand: atmel: Fix dma_mapping_error() address", " - mtd: rawnand: rockchip: Add missing check after DMA map", " - mtd: rawnand: atmel: set pmecc data setup time", " - drm/xe/vf: Disable CSC support on VF", " - selftests: ALSA: fix memory leak in utimer test", " - perf record: Cache build-ID of hit DSOs only", " - vdpa/mlx5: Fix needs_teardown flag calculation", " - vhost-scsi: Fix log flooding with target does not exist errors", " - vdpa/mlx5: Fix release of uninitialized resources on error path", " - vdpa: Fix IDR memory leak in VDUSE module exit", " - vhost: Reintroduce kthread API and add mode selection", " - [Config] updateconfigs for VHOST_ENABLE_FORK_OWNER_CONTROL", " - bpf: Check flow_dissector ctx accesses are aligned", " - bpf: Check netfilter ctx accesses are aligned", " - apparmor: ensure WB_HISTORY_SIZE value is a power of 2", " - apparmor: fix loop detection used in conflicting attachment resolution", " - apparmor: Fix unaligned memory accesses in KUnit test", " - module: Restore the moduleparam prefix length check", " - ucount: fix atomic_long_inc_below() argument type", " - rtc: ds1307: fix incorrect maximum clock rate handling", " - rtc: hym8563: fix incorrect maximum clock rate handling", " - rtc: nct3018y: fix incorrect maximum clock rate handling", " - rtc: pcf85063: fix incorrect maximum clock rate handling", " - rtc: pcf8563: fix incorrect maximum clock rate handling", " - rtc: rv3028: fix incorrect maximum clock rate handling", " - f2fs: turn off one_time when forcibly set to foreground GC", " - f2fs: fix bio memleak when committing super block", " - f2fs: fix KMSAN uninit-value in extent_info usage", " - f2fs: fix to check upper boundary for value of gc_boost_zoned_gc_percent", " - f2fs: fix to check upper boundary for gc_valid_thresh_ratio", " - f2fs: fix to check upper boundary for gc_no_zoned_gc_percent", " - f2fs: doc: fix wrong quota mount option description", " - f2fs: fix to avoid UAF in f2fs_sync_inode_meta()", " - f2fs: fix to avoid panic in f2fs_evict_inode", " - f2fs: fix to avoid out-of-boundary access in devs.path", " - f2fs: vm_unmap_ram() may be called from an invalid context", " - f2fs: fix to update upper_p in __get_secs_required() correctly", " - f2fs: fix to calculate dirty data during has_not_enough_free_secs()", " - f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode", " - exfat: fdatasync flag should be same like generic_write_sync()", " - i2c: muxes: mule: Fix an error handling path in mule_i2c_mux_probe()", " - vfio: Fix unbalanced vfio_df_close call in no-iommu mode", " - vfio: Prevent open_count decrement to negative", " - vfio/pds: Fix missing detach_ioas op", " - vfio/pci: Separate SR-IOV VF dev_set", " - scsi: mpt3sas: Fix a fw_event memory leak", " - scsi: Revert \"scsi: iscsi: Fix HW conn removal use after free\"", " - scsi: ufs: core: Use link recovery when h8 exit fails during runtime", " resume", " - scsi: sd: Make sd shutdown issue START STOP UNIT appropriately", " - kconfig: qconf: fix ConfigList::updateListAllforAll()", " - sched/psi: Fix psi_seq initialization", " - PCI: pnv_php: Clean up allocated IRQs on unplug", " - PCI: pnv_php: Work around switches with broken presence detection", " - powerpc/eeh: Export eeh_unfreeze_pe()", " - powerpc/eeh: Make EEH driver device hotplug safe", " - PCI: pnv_php: Fix surprise plug detection and recovery", " - pNFS/flexfiles: don't attempt pnfs on fatal DS errors", " - NFS: Fix wakeup of __nfs_lookup_revalidate() in unblock_revalidate()", " - NFS: Fix filehandle bounds checking in nfs_fh_to_dentry()", " - NFS: Fixup allocation flags for nfsiod's __GFP_NORETRY", " - md/md-cluster: handle REMOVE message earlier", " - netpoll: prevent hanging NAPI when netcons gets enabled", " - phy: mscc: Fix parsing of unicast frames", " - net: ipa: add IPA v5.1 and v5.5 to ipa_version_string()", " - pptp: ensure minimal skb length in pptp_xmit()", " - nvmet: initialize discovery subsys after debugfs is initialized", " - s390/ap: Unmask SLCF bit in card and queue ap functions sysfs", " - netlink: specs: ethtool: fix module EEPROM input/output arguments", " - block: Fix default IO priority if there is no IO context", " - block: ensure discard_granularity is zero when discard is not supported", " - ASoC: tas2781: Fix the wrong step for TLV on tas2781", " - spi: cs42l43: Property entry should be a null-terminated array", " - net/mlx5: Correctly set gso_segs when LRO is used", " - ipv6: reject malicious packets in ipv6_gso_segment()", " - net: mdio: mdio-bcm-unimac: Correct rate fallback logic", " - net: drop UFO packets in udp_rcv_segment()", " - net/sched: taprio: enforce minimum value for picos_per_byte", " - sunrpc: fix client side handling of tls alerts", " - x86/irq: Plug vector setup race", " - benet: fix BUG when creating VFs", " - net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing", " - s390/mm: Allocate page table with PAGE_SIZE granularity", " - eth: fbnic: remove the debugging trick of super high page bias", " - irqchip: Build IMX_MU_MSI only on ARM", " - ALSA: hda/ca0132: Fix missing error handling in ca0132_alt_select_out()", " - smb: server: remove separate empty_recvmsg_queue", " - smb: server: make sure we call ib_dma_unmap_single() only if we called", " ib_dma_map_single already", " - smb: server: let recv_done() consistently call", " put_recvmsg/smb_direct_disconnect_rdma_connection", " - smb: server: let recv_done() avoid touching data_transfer after", " cleanup/move", " - smb: client: remove separate empty_packet_queue", " - smb: client: make sure we call ib_dma_unmap_single() only if we called", " ib_dma_map_single already", " - smb: client: let recv_done() cleanup before notifying the callers.", " - smb: client: let recv_done() avoid touching data_transfer after", " cleanup/move", " - nvmet: exit debugfs after discovery subsystem exits", " - pptp: fix pptp_xmit() error path", " - smb: client: return an error if rdma_connect does not return within 5", " seconds", " - sunrpc: fix handling of server side tls alerts", " - perf/core: Don't leak AUX buffer refcount on allocation failure", " - selftests/perf_events: Add a mmap() correctness test", " - ksmbd: fix null pointer dereference error in generate_encryptionkey", " - ksmbd: fix Preauh_HashValue race condition", " - ksmbd: fix corrupted mtime and ctime in smb2_open", " - ksmbd: limit repeated connections from clients with the same IP", " - smb: server: Fix extension string in ksmbd_extract_shortname()", " - USB: serial: option: add Foxconn T99W709", " - Bluetooth: btusb: Add USB ID 3625:010b for TP-LINK Archer TX10UB Nano", " - net: usbnet: Avoid potential RCU stall on LINK_CHANGE event", " - net: usbnet: Fix the wrong netif_carrier_on() call", " - ALSA: intel_hdmi: Fix off-by-one error in __hdmi_lpe_audio_probe()", " - ALSA: scarlett2: Add retry on -EPROTO from scarlett2_usb_tx()", " - ALSA: hda/realtek - Fix mute LED for HP Victus 16-r1xxx", " - ALSA: hda/realtek - Fix mute LED for HP Victus 16-s0xxx", " - ALSA: hda/realtek - Fix mute LED for HP Victus 16-d1xxx (MB 8A26)", " - platform/x86/intel/pmt: fix a crashlog NULL pointer access", " - x86/fpu: Delay instruction pointer fixup until after warning", " - s390/mm: Remove possible false-positive warning in pte_free_defer()", " - MIPS: mm: tlb-r4k: Uniquify TLB entries on init", " - mm/hmm: move pmd_to_hmm_pfn_flags() to the respective #ifdeffery", " - mm: swap: correctly use maxpages in swapon syscall to avoid potential", " deadloop", " - mm: swap: fix potential buffer overflow in setup_clusters()", " - perf/arm-ni: Set initial IRQ affinity", " - media: ti: j721e-csi2rx: fix list_del corruption", " - HID: apple: validate feature-report field count to prevent NULL pointer", " dereference", " - USB: gadget: f_hid: Fix memory leak in hidg_bind error path", " - usb: gadget : fix use-after-free in composite_dev_cleanup()", " - drm/radeon: Do not hold console lock while suspending clients", " - ALSA: hda/realtek: Support mute LED for Yoga with ALC287", " - block: mtip32xx: Fix usage of dma_map_sg()", " - md: allow removing faulty rdev during resync", " - block: sanitize chunk_sectors for atomic write limits", " - btrfs: remove unnecessary btrfs_key local variable in", " btrfs_search_forward()", " - btrfs: avoid redundant path slot assignment in btrfs_search_forward()", " - btrfs: remove partial support for lowest level from", " btrfs_search_forward()", " - arm64: dts: qcom: qcs615: fix a crash issue caused by infinite loop for", " Coresight", " - arm64: dts: qcom: qcs615: disable the CTI device of the camera block", " - ARM: dts: microchip: sama7d65: Add clock name property", " - ARM: dts: microchip: sam9x7: Add clock name property", " - mei: vsc: Don't re-init VSC from mei_vsc_hw_reset() on stop", " - drivers: misc: sram: fix up some const issues with recent attribute", " changes", " - power: sequencing: qcom-wcn: fix bluetooth-wifi copypasta for WCN6855", " - rust: miscdevice: clarify invariant for `MiscDeviceRegistration`", " - arm64: dts: imx8mp-venice-gw74xx: update name of M2SKT_WDIS2# gpio", " - staging: gpib: Fix error code in board_type_ioctl()", " - staging: gpib: Fix error handling paths in cb_gpib_probe()", " - drm/xe: Correct the rev value for the DVSEC entries", " - drm/xe: Correct BMG VSEC header sizing", " - drm/connector: hdmi: Evaluate limited range after computing format", " - wifi: rtw89: fix EHT 20MHz TX rate for non-AP STA", " - netconsole: Only register console drivers when targets are configured", " - slub: Fix a documentation build error for krealloc()", " - wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss", " - wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type()", " - wifi: ath12k: Clear auth flag only for actual association in security", " mode", " - wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start()", " - sched/deadline: Reset extra_bw to max_bw when clearing root domains", " - iommu/vt-d: Do not wipe out the page table NID when devices detach", " - iommu/arm-smmu: disable PRR on SM8250", " - wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac()", " - PM: cpufreq: powernv/tracing: Move powernv_throttle trace event", " - wifi: mac80211: fix WARN_ON for monitor mode on some devices", " - arm64/gcs: task_gcs_el0_enable() should use passed task", " - neighbour: Fix null-ptr-deref in neigh_flush_dev().", " - igb: xsk: solve negative overflow of nb_pkts in zerocopy mode", " - RISC-V: KVM: Fix inclusion of Smnpm in the guest ISA bitmap", " - remoteproc: qcom: pas: Conclude the rename from adsp", " - padata: Fix pd UAF once and for all", " - perf parse-events: Set default GH modifier properly", " - power: supply: qcom_pmi8998_charger: fix wakeirq", " - power: supply: max1720x correct capacity computation", " - pinctrl: canaan: k230: add NULL check in DT parse", " - pinctrl: canaan: k230: Fix order of DT parse and pinctrl register", " - PCI: Adjust the position of reading the Link Control 2 register", " - soundwire: Correct some property names", " - perf sched: Fix thread leaks in 'perf sched timehist'", " - tracing: Use queue_rcu_work() to free filters", " - perf hwmon_pmu: Avoid shortening hwmon PMU name", " - tools subcmd: Tighten the filename size in check_if_command_finished", " - ASoC: fsl_xcvr: get channel status data with firmware exists", " - clk: clocking-wizard: Fix the round rate handling for versal", " - smb: client: allow parsing zero-length AV pairs", " - ALSA: usb: scarlett2: Fix missing NULL check", " - scripts: gdb: move MNT_* constants to gdb-parsed", " - f2fs: fix to avoid invalid wait context issue", " - vfio/pci: Do vf_token checks for VFIO_DEVICE_BIND_IOMMUFD", " - padata: Remove comment for reorder_work", " - drm/xe/pf: Disable PF restart worker on device removal", " - eth: fbnic: unlink NAPIs from queues on error to open", " - NFS/localio: nfs_close_local_fh() fix check for file closed", " - NFS/localio: nfs_uuid_put() fix races with nfs_open/close_local_fh()", " - NFS/localio: nfs_uuid_put() fix the wake up after unlinking the file", " - s390/boot: Fix startup debugging log", " - tools/power turbostat: Fix bogus SysWatt for forked program", " - nfsd: don't set the ctime on delegated atime updates", " - nfsd: avoid ref leak in nfsd_open_local_fh()", " - perf/core: Exit early on perf_mmap() fail", " - perf/core: Prevent VMA split of buffer mappings", " - smb: client: fix netns refcount leak after net_passive changes", " - smb: client: set symlink type as native for POSIX mounts", " - smb: client: default to nonativesocket under POSIX mounts", " - x86/sev: Evict cache lines during SNP memory validation", " - KVM: VMX: Allow guest to set DEBUGCTL.RTM_DEBUG if RTM is supported", " - mm: shmem: fix the shmem large folio allocation for the i915 driver", " - usb: gadget: uvc: Initialize frame-based format color matching", " descriptor", " - HID: core: Harden s32ton() against conversion to 0 bits", " - vhost: Fix ioctl # for VHOST_[GS]ET_FORK_FROM_OWNER", " - ksmbd: extend the connection limiting mechanism to support IPv6", " - Upstream stable to v6.12.42, v6.15.10", "", " * Plucky update: upstream stable patchset 2025-09-30 (LP: #2126463) //", " CVE-2025-38660", " - parse_longname(): strrchr() expects NUL-terminated string", "", " * Plucky update: upstream stable patchset 2025-09-26 (LP: #2125820)", " - x86/traps: Initialize DR7 by writing its architectural reset value", " - Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT", " - virtio_net: Enforce minimum TX ring size for reliability", " - virtio_ring: Fix error reporting in virtqueue_resize", " - regulator: core: fix NULL dereference on unbind due to stale coupling", " data", " - platform/x86: asus-nb-wmi: add DMI quirk for ASUS Zenbook Duo UX8406CA", " - RDMA/core: Rate limit GID cache warning messages", " - interconnect: qcom: sc7280: Add missing num_links to xm_pcie3_1 node", " - iio: adc: ad7949: use spi_is_bpw_supported()", " - regmap: fix potential memory leak of regmap_bus", " - platform/mellanox: mlxbf-pmc: Remove newline char from event name input", " - platform/mellanox: mlxbf-pmc: Validate event/enable input", " - platform/mellanox: mlxbf-pmc: Use kstrtobool() to check 0/1 input", " - tools/hv: fcopy: Fix incorrect file path conversion", " - x86/hyperv: Fix usage of cpu_online_mask to get valid cpu", " - platform/x86: Fix initialization order for firmware_attributes_class", " - staging: vchiq_arm: Make vchiq_shutdown never fail", " - xfrm: state: initialize state_ptrs earlier in xfrm_state_find", " - xfrm: state: use a consistent pcpu_id in xfrm_state_find", " - xfrm: Set transport header to fix UDP GRO handling", " - ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv", " - net: ti: icssg-prueth: Fix buffer allocation for ICSSG", " - net/mlx5: Fix memory leak in cmd_exec()", " - net/mlx5: E-Switch, Fix peer miss rules to use peer eswitch", " - i40e: report VF tx_dropped with tx_errors instead of tx_discards", " - i40e: When removing VF MAC filters, only check PF-set MAC", " - net: appletalk: Fix use-after-free in AARP proxy probe", " - can: netlink: can_changelink(): fix NULL pointer deref of struct", " can_priv::do_set_mode", " - ALSA: hda/realtek: Fix mute LED mask on HP OMEN 16 laptop", " - selftests: drv-net: wait for iperf client to stop sending", " - s390/ism: fix concurrency management in ism_cmd()", " - net: hns3: fix concurrent setting vlan filter issue", " - net: hns3: disable interrupt when ptp init failed", " - net: hns3: fixed vf get max channels bug", " - net: hns3: default enable tx bounce buffer when smmu enabled", " - platform/x86: ideapad-laptop: Fix FnLock not remembered among boots", " - platform/x86: ideapad-laptop: Fix kbd backlight not remembered among", " boots", " - drm/amdgpu: Reset the clear flag in buddy during resume", " - drm/sched: Remove optimization that causes hang when killing dependent", " jobs", " - mm/ksm: fix -Wsometimes-uninitialized from clang-21 in", " advisor_mode_show()", " - ARM: 9450/1: Fix allowing linker DCE with binutils < 2.36", " - timekeeping: Zero initialize system_counterval when querying time from", " phc drivers", " - i2c: qup: jump out of the loop in case of timeout", " - i2c: tegra: Fix reset error handling with ACPI", " - i2c: virtio: Avoid hang by using interruptible completion wait", " - bus: fsl-mc: Fix potential double device reference in", " fsl_mc_get_endpoint()", " - sprintf.h requires stdarg.h", " - ALSA: hda/realtek - Add mute LED support for HP Pavilion 15-eg0xxx", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fa0xxx", " - arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()", " - dpaa2-eth: Fix device reference count leak in MAC endpoint handling", " - dpaa2-switch: Fix device reference count leak in MAC endpoint handling", " - e1000e: disregard NVM checksum on tgp when valid checksum bit is not set", " - e1000e: ignore uninitialized checksum word on tgp", " - gve: Fix stuck TX queue for DQ queue format", " - ice: Fix a null pointer dereference in ice_copy_and_init_pkg()", " - kasan: use vmalloc_dump_obj() for vmalloc error reports", " - nilfs2: reject invalid file types when reading inodes", " - resource: fix false warning in __request_region()", " - selftests: mptcp: connect: also cover alt modes", " - selftests: mptcp: connect: also cover checksum", " - mm/vmscan: fix hwpoisoned large folio handling in shrink_folio_list", " - mm/zsmalloc: do not pass __GFP_MOVABLE if CONFIG_COMPACTION=n", " - selftests/bpf: Add tests with stack ptr register in conditional jmp", " - usb: typec: tcpm: allow to use sink in accessory mode", " - usb: typec: tcpm: allow switching to mode accessory to mux properly", " - usb: typec: tcpm: apply vbus before data bringup in tcpm_src_attach", " - spi: cadence-quadspi: fix cleanup of rx_chan on failure paths", " - comedi: comedi_test: Fix possible deletion of uninitialized timers", " - erofs: use Z_EROFS_LCLUSTER_TYPE_MAX to simplify switches", " - erofs: simplify tail inline pcluster handling", " - erofs: clean up header parsing for ztailpacking and fragments", " - erofs: fix large fragment handling", " - ext4: don't explicit update times in ext4_fallocate()", " - ext4: refactor ext4_punch_hole()", " - ext4: refactor ext4_zero_range()", " - ext4: refactor ext4_collapse_range()", " - ext4: refactor ext4_insert_range()", " - ext4: factor out ext4_do_fallocate()", " - ext4: move out inode_lock into ext4_fallocate()", " - ext4: move out common parts into ext4_fallocate()", " - ext4: fix incorrect punch max_end", " - ext4: correct the error handle in ext4_fallocate()", " - ext4: fix out of bounds punch offset", " - ARM: 9448/1: Use an absolute path to unified.h in KBUILD_AFLAGS", " - Drivers: hv: Make the sysfs node size for the ring buffer dynamic", " - ALSA: hda/tegra: Add Tegra264 support", " - ALSA: hda: Add missing NVIDIA HDA codec IDs", " - drm/amd/display: Don't allow OLED to go down to fully off", " - interconnect: icc-clk: destroy nodes in case of memory allocation", " failures", " - xfrm: always initialize offload path", " - drm/i915/dp: Fix 2.7 Gbps DP_LINK_BW value on g4x", " - drm/xe: Make WA BB part of LRC BO", " - Upstream stable to v6.12.41, v6.15.9", "", " * Plucky update: upstream stable patchset 2025-09-15 (LP: #2123805)", " - phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode", " - phy: tegra: xusb: Decouple CYA_TRK_CODE_UPDATE_ON_IDLE from trk_hw_mode", " - phy: tegra: xusb: Disable periodic tracking on Tegra234", " - USB: serial: option: add Telit Cinterion FE910C04 (ECM) composition", " - USB: serial: option: add Foxconn T99W640", " - USB: serial: ftdi_sio: add support for NDI EMGUIDE GEMINI", " - usb: musb: fix gadget state on disconnect", " - usb: dwc2: gadget: Fix enter to hibernation for UTMI+ PHY", " - i2c: stm32: fix the device used for the DMA map", " - i2c: stm32f7: unmap DMA mapped buffer", " - thunderbolt: Fix wake on connect at runtime", " - thunderbolt: Fix bit masking in tb_dp_port_set_hops()", " - Revert \"staging: vchiq_arm: Create keep-alive thread during probe\"", " - nvmem: imx-ocotp: fix MAC address byte length", " - nvmem: layouts: u-boot-env: remove crc32 endianness conversion", " - Input: xpad - set correct controller type for Acer NGR200", " - pch_uart: Fix dma_sync_sg_for_device() nents value", " - spi: Add check for 8-bit transfer with 8 IO mode support", " - dm-bufio: fix sched in atomic context", " - HID: core: ensure the allocated report buffer can contain the reserved", " report ID", " - HID: core: ensure __hid_request reserves the report ID as the first byte", " - HID: core: do not bypass hid_hw_raw_request", " - tracing/probes: Avoid using params uninitialized in parse_btf_arg()", " - tracing: Add down_write(trace_event_sem) when adding trace event", " - tracing/osnoise: Fix crash in timerlat_dump_stack()", " - objtool/rust: add one more `noreturn` Rust function for Rust 1.89.0", " - drm/amdgpu/gfx8: reset compute ring wptr on the GPU on resume", " - drm/amdgpu: Increase reset counter only on success", " - drm/amd/display: Disable CRTC degamma LUT for DCN401", " - drm/amd/display: Free memory allocation", " - ALSA: hda/realtek - Fix mute LED for HP Victus 16-r0xxx", " - ALSA: hda/realtek: Add quirk for ASUS ROG Strix G712LWS", " - io_uring/poll: fix POLLERR handling", " - mptcp: make fallback action and fallback decision atomic", " - mptcp: plug races between subflow fail and subflow creation", " - mptcp: reset fallback status gracefully at disconnect() time", " - phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in", " pep_sock_accept()", " - net/mlx5: Update the list of the PCI supported devices", " - arm64: dts: imx8mp-venice-gw74xx: fix TPM SPI frequency", " - arm64: dts: add big-endian property back into watchdog node", " - arm64: dts: freescale: imx8mm-verdin: Keep LDO5 always on", " - arm64: dts: imx8mp-venice-gw71xx: fix TPM SPI frequency", " - arm64: dts: imx8mp-venice-gw72xx: fix TPM SPI frequency", " - arm64: dts: imx8mp-venice-gw73xx: fix TPM SPI frequency", " - arm64: dts: rockchip: use cs-gpios for spi1 on ringneck", " - af_packet: fix the SO_SNDTIMEO constraint not effective on tpacked_snd()", " - af_packet: fix soft lockup issue caused by tpacket_snd()", " - Bluetooth: btintel: Check if controller is ISO capable on", " btintel_classify_pkt_type", " - cpuidle: psci: Fix cpuhotplug routine with PREEMPT_RT=y", " - dmaengine: nbpfaxi: Fix memory corruption in probe()", " - isofs: Verify inode mode when loading from disk", " - memstick: core: Zero initialize id_reg in h_memstick_read_dev_id()", " - mmc: bcm2835: Fix dma_unmap_sg() nents value", " - mmc: sdhci-pci: Quirk for broken command queuing on Intel GLK-based", " Positivo models", " - mmc: sdhci_am654: Workaround for Errata i2312", " - net: stmmac: intel: populate entire system_counterval_t in get_time_fn()", " callback", " - net: libwx: remove duplicate page_pool_put_full_page()", " - net: libwx: fix the using of Rx buffer DMA", " - net: libwx: properly reset Rx ring descriptor", " - pmdomain: governor: Consider CPU latency tolerance from", " pm_domain_cpu_gov", " - s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again", " - soc: aspeed: lpc-snoop: Cleanup resources in stack-order", " - soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled", " - iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush", " - iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps", " - iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]", " - iio: adc: max1363: Reorder mode_list[] entries", " - iio: adc: stm32-adc: Fix race in installing chained IRQ handler", " - iio: backend: fix out-of-bound write", " - iio: common: st_sensors: Fix use of uninitialize device structs", " - comedi: pcl812: Fix bit shift out of bounds", " - comedi: aio_iiro_16: Fix bit shift out of bounds", " - comedi: das16m1: Fix bit shift out of bounds", " - comedi: das6402: Fix bit shift out of bounds", " - comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large", " - comedi: Fix some signed shift left operations", " - comedi: Fix use of uninitialized data in insn_rw_emulate_bits()", " - comedi: Fix initialization of data for instructions that write to", " subdevice", " - arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi CM5", " - arm64: dts: rockchip: Add cd-gpios for sdcard detect on Cool Pi 4B", " - soundwire: amd: fix for handling slave alerts after link is down", " - soundwire: amd: fix for clearing command status register", " - arm64: dts: imx95: Correct the DMA interrupter number of pcie0_ep", " - bpf: Reject %p% format string in bprintf-like helpers", " - selftests/sched_ext: Fix exit selftest hang on UP", " - cachefiles: Fix the incorrect return value in __cachefiles_write()", " - net: emaclite: Fix missing pointer increment in aligned_read()", " - block: fix kobject leak in blk_unregister_queue", " - rpl: Fix use-after-free in rpl_do_srh_inline().", " - smb: client: fix use-after-free in cifs_oplock_break", " - fix a leak in fcntl_dirnotify()", " - nvme: fix inconsistent RCU list manipulation in", " nvme_ns_add_to_ctrl_list()", " - nvme: fix endianness of command word prints in nvme_log_err_passthru()", " - smc: Fix various oops due to inet_sock type confusion.", " - net: phy: Don't register LEDs for genphy", " - nvme: fix misaccounting of nvme-mpath inflight I/O", " - nvmet-tcp: fix callback lock for TLS handshake", " - wifi: cfg80211: remove scan request n_channels counted_by", " - can: tcan4x5x: fix reset gpio usage during probe", " - selftests: net: increase inter-packet timeout in udpgro.sh", " - hwmon: (corsair-cpro) Validate the size of the received input buffer", " - ice: add NULL check in eswitch lag check", " - ice: check correct pointer in fwlog debugfs", " - usb: net: sierra: check for no status endpoint", " - loop: use kiocb helpers to fix lockdep warning", " - riscv: Enable interrupt during exception handling", " - riscv: traps_misaligned: properly sign extend value in misaligned load", " handler", " - Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()", " - Bluetooth: hci_sync: fix connectable extended advertising when using", " static random address", " - Bluetooth: SMP: If an unallowed command is received consider it a", " failure", " - Bluetooth: SMP: Fix using HCI_ERROR_REMOTE_USER_TERM on timeout", " - Bluetooth: hci_core: add missing braces when using macro parameters", " - Bluetooth: btusb: QCA: Fix downloading wrong NVM for WCN6855 GF variant", " without board ID", " - net/mlx5: Correctly set gso_size when LRO is used", " - ipv6: mcast: Delay put pmc->idev in mld_del_delrec()", " - net: fix segmentation after TCP/UDP fraglist GRO", " - netfilter: nf_conntrack: fix crash due to removal of uninitialised entry", " - drm/xe/pf: Prepare to stop SR-IOV support prior GT reset", " - hv_netvsc: Set VF priv_flags to IFF_NO_ADDRCONF before open to prevent", " IPv6 addrconf", " - virtio-net: fix recursived rtnl_lock() during probe()", " - tls: always refresh the queue when reading sock", " - net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during", " runtime", " - net: bridge: Do not offload IGMP/MLD messages", " - net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree", " - rxrpc: Fix recv-recv race of completed call", " - rxrpc: Fix transmission of an abort in response to an abort", " - Revert \"cgroup_freezer: cgroup_freezing: Check if not frozen\"", " - drm/mediatek: Add wait_event_timeout when disabling plane", " - drm/mediatek: only announce AFBC if really supported", " - libbpf: Fix handling of BPF arena relocations", " - efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths", " - sched: Change nr_uninterruptible type to unsigned long", " - usb: hub: Don't try to recover devices lost during warm reset.", " - usb: dwc3: qcom: Don't leave BCR asserted", " - net: libwx: fix multicast packets received count", " - i2c: omap: Add support for setting mux", " - [Config] updateconfigs for MULTIPLEXER", " - i2c: omap: Fix an error handling path in omap_i2c_probe()", " - i2c: omap: Handle omap_i2c_init() errors in omap_i2c_probe()", " - i2c: omap: fix deprecated of_property_read_bool() use", " - sched,freezer: Remove unnecessary warning in __thaw_task", " - drm/xe/mocs: Initialize MOCS index early", " - drm/xe: Move page fault init after topology init", " - smb: client: let smbd_post_send_iter() respect the peers max_send_size", " and transmit all data", " - iommu/vt-d: Restore context entry setup order for aliased devices", " - KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll", " hypercalls", " - usb: gadget: configfs: Fix OOB read on empty string write", " - i2c: omap: Fix an error handling path in omap_i2c_probe()", " - netfs: Fix copy-to-cache so that it performs collection with", " ceph+fscache", " - netfs: Fix race between cache write completion and ALL_QUEUED being set", " - Fix SMB311 posix special file creation to servers which do not advertise", " reparse support", " - arm64: dts: rockchip: list all CPU supplies on ArmSoM Sige5", " - iio: adc: ad7380: fix adi,gain-milli property parsing", " - phy: use per-PHY lockdep keys", " - arm64: dts: imx95-19x19-evk: fix the overshoot issue of NETC", " - ALSA: compress_offload: tighten ioctl command number checks", " - Bluetooth: hci_core: fix typos in macros", " - Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap", " - drm/xe/pf: Resend PF provisioning after GT reset", " - rxrpc: Fix irq-disabled in local_bh_enable()", " - rxrpc: Fix notification vs call-release vs recvmsg", " - rxrpc: Fix to use conn aborts for conn-wide failures", " - drm/mediatek: Add error handling for old state CRTC in atomic_disable", " - Upstream stable to v6.12.40, v6.15.8", "", " * Plucky update: upstream stable patchset 2025-09-15 (LP: #2123805) //", " CVE-2024-50047 fix.", " - smb: client: fix use-after-free in crypt_message when using async crypto", "", " * Plucky update: upstream stable patchset 2025-09-14 (LP: #2123745)", " - eventpoll: don't decrement ep refcount while still holding the ep mutex", " - drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling", " - drm/amdgpu/discovery: use specific ip_discovery.bin for legacy asics", " - drm/amdgpu/ip_discovery: add missing ip_discovery fw", " - crypto: s390/sha - Fix uninitialized variable in SHA-1 and SHA-2", " - ASoC: fsl_asrc: use internal measured ratio for non-ideal ratio mode", " - ASoC: Intel: SND_SOC_INTEL_SOF_BOARD_HELPERS select", " SND_SOC_ACPI_INTEL_MATCH", " - ASoC: soc-acpi: add get_function_tplg_files ops", " - ASoC: Intel: add sof_sdw_get_tplg_files ops", " - ASoC: Intel: soc-acpi-intel-arl-match: set get_function_tplg_files ops", " - ASoC: Intel: soc-acpi: arl: Correct order of cs42l43 matches", " - irqchip/irq-msi-lib: Select CONFIG_GENERIC_MSI_IRQ", " - sched/core: Fix migrate_swap() vs. hotplug", " - perf: Revert to requiring CAP_SYS_ADMIN for uprobes", " - ASoC: cs35l56: probe() should fail if the device ID is not recognized", " - Bluetooth: hci_sync: Fix not disabling advertising instance", " - Bluetooth: hci_event: Fix not marking Broadcast Sink BIS as connected", " - pinctrl: amd: Clear GPIO debounce for suspend", " - fix proc_sys_compare() handling of in-lookup dentries", " - sched/deadline: Fix dl_server runtime calculation formula", " - bnxt_en: eliminate the compile warning in bnxt_request_irq due to", " CONFIG_RFS_ACCEL", " - arm64: poe: Handle spurious Overlay faults", " - net: phy: qcom: move the WoL function to shared library", " - net: phy: qcom: qca808x: Fix WoL issue by utilizing at8031_set_wol()", " - netlink: Fix wraparounds of sk->sk_rmem_alloc.", " - vsock: fix `vsock_proto` declaration", " - tipc: Fix use-after-free in tipc_conn_close().", " - tcp: Correct signedness in skb remaining space calculation", " - vsock: Fix transport_{g2h,h2g} TOCTOU", " - vsock: Fix transport_* TOCTOU", " - vsock: Fix IOCTL_VM_SOCKETS_GET_LOCAL_CID to check also", " `transport_local`", " - net: stmmac: Fix interrupt handling for level-triggered mode in", " DWC_XGMAC2", " - net: phy: smsc: Fix Auto-MDIX configuration when disabled by strap", " - net: phy: smsc: Force predictable MDI-X state on LAN87xx", " - net: phy: smsc: Fix link failure in forced mode with Auto-MDIX", " - atm: clip: Fix potential null-ptr-deref in to_atmarpd().", " - atm: clip: Fix memory leak of struct clip_vcc.", " - atm: clip: Fix infinite recursive call of clip_push().", " - atm: clip: Fix NULL pointer dereference in vcc_sendmsg()", " - net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for", " skb_shared_info", " - net/sched: Abort __tc_modify_qdisc if parent class does not exist", " - rxrpc: Fix bug due to prealloc collision", " - rxrpc: Fix oops due to non-existence of prealloc backlog struct", " - ipmi:msghandler: Fix potential memory corruption in ipmi_create_user()", " - x86/mce/amd: Add default names for MCA banks and blocks", " - x86/mce/amd: Fix threshold limit reset", " - x86/mce: Don't remove sysfs if thresholding sysfs init fails", " - x86/mce: Ensure user polling settings are honored when restarting timer", " - x86/mce: Make sure CMCI banks are cleared during shutdown on Intel", " - KVM: x86/xen: Allow 'out of range' event channel ports in IRQ routing", " table.", " - KVM: SVM: Add missing member in SNP_LAUNCH_START command structure", " - KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-", " flight", " - KVM: Allow CPU to reschedule while setting per-page memory attributes", " - ALSA: ad1816a: Fix potential NULL pointer deref in", " snd_card_ad1816a_pnp()", " - ASoC: fsl_sai: Force a software reset when starting in consumer mode", " - gre: Fix IPv6 multicast route creation.", " - net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe()", " - md/md-bitmap: fix GPF in bitmap_get_stats()", " - pinctrl: qcom: msm: mark certain pins as invalid for interrupts", " - pwm: Fix invalid state detection", " - pwm: mediatek: Ensure to disable clocks in error path", " - wifi: prevent A-MSDU attacks in mesh networks", " - wifi: mwifiex: discard erroneous disassoc frames on STA interface", " - wifi: mt76: mt7921: prevent decap offload config before STA", " initialization", " - wifi: mt76: mt7925: prevent NULL pointer dereference in", " mt7925_sta_set_decap_offload()", " - wifi: mt76: mt7925: fix the wrong config for tx interrupt", " - wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw", " scan", " - drm/imagination: Fix kernel crash when hard resetting the GPU", " - drm/amdkfd: Don't call mmput from MMU notifier callback", " - drm/gem: Acquire references on GEM handles for framebuffers", " - drm/sched: Increment job count before swapping tail spsc queue", " - drm/ttm: fix error handling in ttm_buffer_object_transfer", " - drm/gem: Fix race in drm_gem_handle_create_tail()", " - drm/xe/bmg: fix compressed VRAM handling", " - Revert \"drm/xe/xe2: Enable Indirect Ring State support for Xe2\"", " - usb: gadget: u_serial: Fix race condition in TTY wakeup", " - Revert \"usb: gadget: u_serial: Add null pointer check in gs_start_io\"", " - drm/framebuffer: Acquire internal references on GEM handles", " - drm/xe: Allocate PF queue size on pow2 boundary", " - maple_tree: fix mt_destroy_walk() on root leaf node", " - mm: fix the inaccurate memory statistics issue for users", " - scripts/gdb: fix interrupts display after MCP on x86", " - scripts/gdb: de-reference per-CPU MCE interrupts", " - scripts/gdb: fix interrupts.py after maple tree conversion", " - mm/vmalloc: leave lazy MMU mode on PTE mapping error", " - lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()", " - rust: init: allow `dead_code` warnings for Rust >= 1.89.0", " - clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data", " - x86/rdrand: Disable RDSEED on AMD Cyan Skillfish", " - x86/mm: Disable hugetlb page table sharing on 32-bit", " - clk: scmi: Handle case where child clocks are initialized before their", " parents", " - smb: server: make use of rdma_destroy_qp()", " - ksmbd: fix a mount write count leak in ksmbd_vfs_kern_path_locked()", " - erofs: fix to add missing tracepoint in erofs_read_folio()", " - erofs: address D-cache aliasing", " - ASoC: Intel: sof-function-topology-lib: Print out the unsupported dmic", " count", " - netlink: Fix rmem check in netlink_broadcast_deliver().", " - netlink: make sure we allow at least one dump skb", " - wifi: cfg80211: fix S1G beacon head validation in nl80211", " - wifi: zd1211rw: Fix potential NULL pointer dereference in", " zd_mac_tx_to_dev()", " - drm/tegra: nvdec: Fix dma_alloc_coherent error check", " - md/raid1: Fix stack memory use after return in raid1_reshape", " - raid10: cleanup memleak at raid10_make_request", " - wifi: mac80211: correctly identify S1G short beacon", " - wifi: mac80211: fix non-transmitted BSSID profile search", " - wifi: rt2x00: fix remove callback type mismatch", " - drm/nouveau/gsp: fix potential leak of memory used during acpi init", " - nbd: fix uaf in nbd_genl_connect() error path", " - drm/xe/pf: Clear all LMTT pages on alloc", " - erofs: refine readahead tracepoint", " - erofs: fix to add missing tracepoint in erofs_readahead()", " - netfilter: flowtable: account for Ethernet header in", " nf_flow_pppoe_proto()", " - net: appletalk: Fix device refcount leak in atrtr_create()", " - ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof", " - net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits", " - net: phy: microchip: limit 100M workaround to link-down events on", " LAN88xx", " - selftests: net: lib: fix shift count out of range", " - drm/xe/pm: Correct comment of xe_pm_set_vram_threshold()", " - can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to", " debug level", " - net/mlx5e: Fix race between DIM disable and net_dim()", " - net/mlx5e: Add new prio for promiscuous mode", " - net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam()", " - bnxt_en: Fix DCB ETS validation", " - bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT", " - ublk: sanity check add_dev input for underflow", " - atm: idt77252: Add missing `dma_map_error()`", " - um: vector: Reduce stack usage in vector_eth_configure()", " - ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak.", " - ALSA: hda/realtek: Add mic-mute LED setup for ASUS UM5606", " - io_uring: make fallocate be hashed work", " - ASoC: amd: yc: add quirk for Acer Nitro ANV15-41 internal mic", " - ALSA: hda/realtek - Enable mute LED on HP Pavilion Laptop 15-eg100", " - ALSA: hda/realtek: Add quirks for some Clevo laptops", " - net: usb: qmi_wwan: add SIMCom 8230C composition", " - driver: bluetooth: hci_qca:fix unable to load the BT driver", " - HID: lenovo: Add support for ThinkPad X1 Tablet Thin Keyboard Gen2", " - net: mana: Record doorbell physical address in PF mode", " - btrfs: fix assertion when building free space tree", " - vt: add missing notification when switching back to text mode", " - bpf: Adjust free target to avoid global starvation of LRU map", " - riscv: vdso: Exclude .rodata from the PT_DYNAMIC segment", " - HID: Add IGNORE quirk for SMARTLINKTECHNOLOGY", " - HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras", " - HID: nintendo: avoid bluetooth suspend/resume stalls", " - selftests/bpf: adapt one more case in test_lru_map to the new", " target_free", " - net: wangxun: revert the adjustment of the IRQ vector sequence", " - ksmbd: fix potential use-after-free in oplock/lease break ack", " - objtool: Add missing endian conversion to read_annotate()", " - Bluetooth: hci_core: Remove check of BDADDR_ANY in", " hci_conn_hash_lookup_big_state", " - Bluetooth: hci_sync: Fix attempting to send HCI_Disconnect to BIS handle", " - arm64/mm: Drop wrong writes into TCR2_EL1", " - module: Fix memory deallocation on error path in move_module()", " - KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush", " - ALSA: hda/realtek - Add mute LED support for HP Victus 15-fb2xxx", " - arm64: Filter out SME hwcaps when FEAT_SME isn't implemented", " - io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU", " - drm/amdgpu: Include sdma_4_4_4.bin", " - drm/nouveau: Do not fail module init on debugfs errors", " - kasan: remove kasan_find_vm_area() to prevent possible deadlock", " - mm/damon/core: handle damon_call_control as normal under kdmond", " deactivation", " - samples/damon: fix damon sample prcl for start failure", " - samples/damon: fix damon sample wsse for start failure", " - md/raid1,raid10: strip REQ_NOWAIT from member bios", " - wifi: mac80211: reject VHT opmode for unsupported channel widths", " - wifi: mac80211: add the virtual monitor after reconfig complete", " - bnxt_en: Flush FW trace before copying to the coredump", " - ASoC: rt721-sdca: fix boost gain calculation error", " - ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 6 G1a", " - x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation", " - netlink: avoid infinite retry looping in netlink_unicast()", " - Upstream stable to v6.12.38, v6.12.39, v6.15.7", "", " * CVE-2025-38678", " - netfilter: nf_tables: reject duplicate device on updates", "", " * CVE-2025-38616", " - tls: handle data disappearing from under the TLS ULP", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105) // CVE-2025-40300", " - Documentation/hw-vuln: Add VMSCAPE documentation", " - x86/vmscape: Enumerate VMSCAPE bug", " - x86/vmscape: Add conditional IBPB mitigation", " - x86/vmscape: Enable the mitigation", " - x86/bugs: Move cpu_bugs_smt_update() down", " - x86/vmscape: Warn when STIBP is disabled with SMT", " - x86/vmscape: Add old Intel CPUs to affected list", "", " * VMSCAPE CVE-2025-40300 (LP: #2124105)", " - [Config] Enable MITIGATION_VMSCAPE config", "" ], "package": "linux", "version": "6.14.0-36.36", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2127650, 1786013, 2122379, 2121866, 2119738, 2121337, 2114963, 2119713, 2119479, 2126659, 2123901, 2125444, 2125471, 2103680, 2125053, 2122435, 2122397, 2126463, 2126463, 2125820, 2123805, 2123805, 2123745, 2124105, 2124105 ], "author": "Edoardo Canepa ", "date": "Sat, 11 Oct 2025 02:21:57 +0200" } ], "notes": "linux-modules-6.14.0-37-generic version '6.14.0-37.37' (source package linux version '6.14.0-37.37') was added. linux-modules-6.14.0-37-generic version '6.14.0-37.37' has the same source package name, linux, as removed package linux-modules-6.14.0-35-generic. As such we can use the source package version of the removed package, '6.14.0-35.35', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.14.0-35-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-35.35", "version": "6.14.0-35.35" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-35-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-35.35", "version": "6.14.0-35.35" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.04 plucky image from release image serial 20251113 to 20260108", "from_series": "plucky", "to_series": "plucky", "from_serial": "20251113", "to_serial": "20260108", "from_manifest_filename": "release_manifest.previous", "to_manifest_filename": "manifest.current" }