Package "libnss-systemd"

  systemd (255.4-1ubuntu8.14) noble-security; urgency=medium

  * SECURITY UPDATE: Local unprivileged user can trigger an assert in systemd
    - d/p/CVE-2026-29111-1.patch: path-util: add flavour of path_startswith() that leaves
      a leading slash in place
    - d/p/CVE-2026-29111-2.patch: path-util: invert PATH_STARTSWITH_ACCEPT_DOT_DOT flag
    - d/p/CVE-2026-29111-3.patch: core/cgroup: avoid one unnecessary strjoina()
    - d/p/CVE-2026-29111-4.patch: core: validate input cgroup path more prudently
  * SECURITY UPDATE: Local root execution via malicious hardware devices
    - d/p/udev-check-for-invalid-chars-in-various-fields-received-f.patch
    - d/p/udev-fix-review-mixup.patch
    - No CVE number

 -- Nick Rosbrook <email address hidden> Fri, 13 Mar 2026 12:48:42 -0400

  systemd (255.4-1ubuntu8.12) noble; urgency=medium

  * basic: validate timezones in get_timezones() (LP: #2125405)
  * ukify: fix insertion of padding in merged sections (LP: #2132666)
  * core: downgrade a log message from warning to debug (LP: #2130554)
  * test: skip testcase_multipath_basic_failover.
    This test has been failing on Ubuntu infrastructure for a long time.
    Leaving this alone at the moment allows other failures to potentially go
    unnoticed, because the migration reference baseline has been reset to
    fail. Skip the test to try and reset the baseline to pass.
  * d/gbp.conf: stop using wrap_cl.py

 -- Nick Rosbrook <email address hidden> Tue, 25 Nov 2025 13:16:31 -0500

  systemd (255.4-1ubuntu8.11) noble; urgency=medium

  [ Nick Rosbrook ]
  * initramfs-tools: copy hwdb.bin to initramfs (LP: #2112237)
  * d/t/tests-in-lxd: drop patching workaround (LP: #2115263)
    - d/t/control: add Depends: dnsmasq-base
      (Revealed by test progressing past previous failure)
  * initramfs-tools: filter out zdev rules in the initramfs hook (LP: #2044104)
    Backport the logic from plucky onward, but adjust the version string for
    noble.
  * test: fall back to SYSLOG_IDENTIFIER= matching in TEST-75-RESOLVED
    Partially backport the test fix from 49a954b08654dd06bab71224a2398a65c2555549,
    only targeting TEST-75-RESOLVED.

  [ Matthew Ruffell ]
  * pcrlock: handle measurement logs where hash algs in header.
    Fix pcrlock log to function correctly reading the TPM eventlog on hyper-v VMs
    (LP: #2115391)

  [ Chengen Du ]
  * network/dhcp6: consider the DHCPv6 protocol as finished when conflict addresses exist
    (LP: #2115418)

  [ Mario Limonciello ]
  * Drop support for using actual brightness (LP: #2110585)

 -- Nick Rosbrook <email address hidden> Fri, 11 Jul 2025 14:52:59 -0400

  systemd (255.4-1ubuntu8.10) noble; urgency=medium

  * Fix regression in networkctl caused by previous upload:
    A regression was introduced due to an incorrect manager reference being passed to
    manager_get_route_table_to_string() within route_append_json(), resulting in an
    error when executing the `networkctl --json=pretty` command.
    > networkctl --json=pretty
    Failed to get description: Message recipient disconnected from message bus without replying

  systemd (255.4-1ubuntu8.8) noble-security; urgency=medium

  * SECURITY UPDATE: race condition in systemd-coredump
    - debian/patches/CVE_2025_4598_1.patch: coredump: get rid of
      _META_MANDATORY_MAX.
    - debian/patches/CVE_2025_4598_2.patch: coredump: use %d in kernel core
      pattern.
    - debian/patches/CVE_2025_4598_3.patch: coredump: also stop forwarding
      non-dumpable processes.
    - debian/patches/CVE_2025_4598_4.patch: coredump: get rid of a bogus
      assertion.
    - CVE-2025-4598
  * this update does not include the changes from 255.4-1ubuntu8.7 as included in noble-proposed

 -- Octavio Galland <email address hidden> Wed, 04 Jun 2025 09:24:15 -0300