UbuntuUpdates.org

Latest Changelogs for all releases

All releases Bionic Focal Jammy Noble Oracular Xenial
Include all PPAs Exclude daily builds PPAs Exclude all PPAs
Include levels: securityupdatesproposedbackportsbase

Note: Only updates for "head" packages where the changelog is available are shown on this page (view all).

libmodule-scandeps-perl Nov 19th 20:06
Release: jammy Repo: main Level: updates New version: 1.31-1ubuntu0.1
Packages in group: 

  libmodule-scandeps-perl (1.31-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: parsing untrusted code
    - d/p/CVE-2024-10224/0001-use-three-argument-open.patch: use a
      three-argument open() alternative
    - d/p/CVE-2024-10224/0002-replace-eval-.-constructs.patch: replace eval
      with parsing the code instead
    - d/p/CVE-2024-10224/0003-fix-parsing-of-use-if.patch: fix parsing of use
      if statements
    - CVE-2024-10224

 -- Sudhakar Verma <email address hidden> Mon, 18 Nov 2024 23:01:20 +0530
CVE-2024-10224 Qualys discovered that if unsanitized input was used with the library ...

waitress Nov 19th 19:07
Release: oracular Repo: universe Level: updates New version: 3.0.0-1ubuntu0.1
Packages in group:  python3-waitress python-waitress-doc

  waitress (3.0.0-1ubuntu0.1) oracular-security; urgency=medium

  * SECURITY UPDATE: Race condition when lookahead is enabled.
    - debian/patches/CVE-2024-49768-*.patch: Stop processing data if the
      connection is about to close in received() in
      src/waitress/channel.py.
    - CVE-2024-49768
  * SECURITY UPDATE: Denial of service through socket busy loop.
    - debian/patches/CVE-2024-49769-*.patch: Assign self.connected to True in
      src/waitress/channel.py. Remove code from vendored library in
      src/waitress/wasyncore.py.
    - CVE-2024-49769

 -- Hlib Korzhynskyy <email address hidden> Mon, 04 Nov 2024 14:12:15 -0330
CVE-2024-49768 Waitress is a Web Server Gateway Interface server for Python 2 and 3. A remote client may send a request that is exactly recv_bytes (defaults to 8192
CVE-2024-49769 Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportun

needrestart Nov 19th 19:07
Release: oracular Repo: main Level: security New version: 3.6-8ubuntu4.2
Packages in group: 

  needrestart (3.6-8ubuntu4.2) oracular-security; urgency=medium

  * SECURITY UPDATE: incorrect usage of PYTHONPATH environment variable
    - debian/patches/CVE-2024-48990.patch: chdir to a clean directory
      to avoid loading arbirary objects, sanitize PYTHONPATH before
      spawning a new python interpreter
    - CVE-2024-48990
  * SECURITY UPDATE: race condition for checking path to python
    - debian/patches/CVE-2024-48991.patch: sync path for both check
      and usage for python interpreter
    - CVE-2024-48991
  * SECURITY UPDATE: incorrect usage of RUBYLIB environment variable
    - debian/patches/CVE-2024-48992.patch: chdir to a clean directory
      to avoid loading arbirary objects, sanitize RUBYLIB before
      spawning a new ruby interpreter
    - CVE-2024-48992
  * SECURITY UPDATE: incorrect usage of Perl ScanDeps
    - debian/patches/CVE-2024-11003.patch: remove usage of ScanDeps
      to avoid parsing arbitrary code
    - CVE-2024-11003

 -- Sudhakar Verma <email address hidden> Wed, 13 Nov 2024 17:03:15 +0530

libmodule-scandeps-perl Nov 19th 19:07
Release: oracular Repo: main Level: security New version: 1.35-1ubuntu0.24.10.1
Packages in group: 

  libmodule-scandeps-perl (1.35-1ubuntu0.24.10.1) oracular-security; urgency=medium

  * SECURITY UPDATE: parsing untrusted code
    - d/p/CVE-2024-10224/0001-use-three-argument-open.patch: use a
      three-argument open() alternative
    - d/p/CVE-2024-10224/0002-replace-eval-.-constructs.patch: replace eval
      with parsing the code instead
    - CVE-2024-10224

 -- Sudhakar Verma <email address hidden> Mon, 18 Nov 2024 22:49:10 +0530

needrestart Nov 19th 19:07
Release: noble Repo: main Level: security New version: 3.6-7ubuntu4.3
Packages in group: 

  needrestart (3.6-7ubuntu4.3) noble-security; urgency=medium

  * SECURITY UPDATE: incorrect usage of PYTHONPATH environment variable
    - debian/patches/CVE-2024-48990.patch: chdir to a clean directory
      to avoid loading arbirary objects, sanitize PYTHONPATH before
      spawning a new python interpreter
    - CVE-2024-48990
  * SECURITY UPDATE: race condition for checking path to python
    - debian/patches/CVE-2024-48991.patch: sync path for both check
      and usage for python interpreter
    - CVE-2024-48991
  * SECURITY UPDATE: incorrect usage of RUBYLIB environment variable
    - debian/patches/CVE-2024-48992.patch: chdir to a clean directory
      to avoid loading arbirary objects, sanitize RUBYLIB before
      spawning a new ruby interpreter
    - CVE-2024-48992
  * SECURITY UPDATE: incorrect usage of Perl ScanDeps
    - debian/patches/CVE-2024-11003.patch: remove usage of ScanDeps
      to avoid parsing arbitrary code
    - CVE-2024-11003

 -- Sudhakar Verma <email address hidden> Thu, 14 Nov 2024 14:59:09 +0530

libmodule-scandeps-perl Nov 19th 19:07
Release: noble Repo: main Level: security New version: 1.35-1ubuntu0.24.04.1
Packages in group: 

  libmodule-scandeps-perl (1.35-1ubuntu0.24.04.1) noble-security; urgency=medium

  * SECURITY UPDATE: parsing untrusted code
    - d/p/CVE-2024-10224/0001-use-three-argument-open.patch: use a
      three-argument open() alternative
    - d/p/CVE-2024-10224/0002-replace-eval-.-constructs.patch: replace eval
      with parsing the code instead
    - CVE-2024-10224

 -- Sudhakar Verma <email address hidden> Mon, 18 Nov 2024 22:11:43 +0530

waitress Nov 19th 19:07
Release: jammy Repo: main Level: updates New version: 1.4.4-1.1ubuntu1.1
Packages in group:  python3-waitress python-waitress-doc

  waitress (1.4.4-1.1ubuntu1.1) jammy-security; urgency=medium

  * SECURITY UPDATE: Denial of service through socket busy loop.
    - debian/patches/CVE-2024-49769-*.patch: Assign self.connected to True in
      src/waitress/channel.py. Remove code from vendored library in
      src/waitress/wasyncore.py.
    - CVE-2024-49769

 -- Hlib Korzhynskyy <email address hidden> Mon, 04 Nov 2024 16:47:17 -0330
CVE-2024-49769 Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportun

libmodule-scandeps-perl Nov 19th 19:07
Release: jammy Repo: main Level: security New version: 1.31-1ubuntu0.1
Packages in group: 

  libmodule-scandeps-perl (1.31-1ubuntu0.1) jammy-security; urgency=medium

  * SECURITY UPDATE: parsing untrusted code
    - d/p/CVE-2024-10224/0001-use-three-argument-open.patch: use a
      three-argument open() alternative
    - d/p/CVE-2024-10224/0002-replace-eval-.-constructs.patch: replace eval
      with parsing the code instead
    - d/p/CVE-2024-10224/0003-fix-parsing-of-use-if.patch: fix parsing of use
      if statements
    - CVE-2024-10224

 -- Sudhakar Verma <email address hidden> Mon, 18 Nov 2024 23:01:20 +0530

needrestart Nov 19th 19:07
Release: jammy Repo: main Level: security New version: 3.5-5ubuntu2.2
Packages in group: 

  needrestart (3.5-5ubuntu2.2) jammy-security; urgency=medium

  * SECURITY UPDATE: incorrect usage of PYTHONPATH environment variable
    - debian/patches/CVE-2024-48990.patch: chdir to a clean directory
      to avoid loading arbirary objects, sanitize PYTHONPATH before
      spawning a new python interpreter
    - CVE-2024-48990
  * SECURITY UPDATE: race condition for checking path to python
    - debian/patches/CVE-2024-48991.patch: sync path for both check
      and usage for python interpreter
    - CVE-2024-48991
  * SECURITY UPDATE: incorrect usage of RUBYLIB environment variable
    - debian/patches/CVE-2024-48992.patch: chdir to a clean directory
      to avoid loading arbirary objects, sanitize RUBYLIB before
      spawning a new ruby interpreter
    - CVE-2024-48992
  * SECURITY UPDATE: incorrect usage of Perl ScanDeps
    - debian/patches/CVE-2024-11003.patch: remove usage of ScanDeps
      to avoid parsing arbitrary code
    - CVE-2024-11003

 -- Sudhakar Verma <email address hidden> Mon, 18 Nov 2024 13:51:23 +0530

waitress Nov 19th 19:07
Release: focal Repo: main Level: updates New version: 1.4.1-1ubuntu0.2
Packages in group:  python3-waitress python-waitress-doc

  waitress (1.4.1-1ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: Denial of service through socket busy loop.
    - debian/patches/CVE-2024-49769-*.patch: Assign self.connected to True in
      src/waitress/channel.py. Remove code from vendored library in
      src/waitress/wasyncore.py.
    - CVE-2024-49769

 -- Hlib Korzhynskyy <email address hidden> Mon, 04 Nov 2024 17:12:10 -0330
CVE-2024-49769 Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before waitress has had the opportun

0ad Nov 19th 18:06
Release: oracular Repo: universe Level: proposed New version: 0.0.26-6ubuntu0.24.10.1
Packages in group: 

  0ad (0.0.26-6ubuntu0.24.10.1) oracular; urgency=medium

  * Fix FTBFS with Python 3.12 (LP: #2071550)
  * Fix FTBFS with libxml2 2.12
    - d/p/upstream-ftbfs-libxml2-2.12.1.patch: cherry pick upstream commit
2071550 0ad FTBFS with Python 3.12

python3.12 Nov 19th 18:06
Release: oracular Repo: universe Level: updates New version: 3.12.7-1ubuntu1
Packages in group:  idle-python3.12 libpython3.12-testsuite python3.12-full python3.12-nopie python3.12-venv

  python3.12 (3.12.7-1ubuntu1) oracular-security; urgency=medium

  * SECURITY UPDATE: incorrect quoting in venv module
    - debian/patches/CVE-2024-9287.patch: quote template strings in venv
      activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,
      Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,
      Lib/venv/scripts/posix/activate.csh,
      Lib/venv/scripts/posix/activate.fish.
    - CVE-2024-9287

 -- Marc Deslauriers <email address hidden> Wed, 06 Nov 2024 13:29:01 -0500
CVE-2024-9287 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted pro

python3.12 Nov 19th 18:06
Release: oracular Repo: main Level: updates New version: 3.12.7-1ubuntu1
Packages in group:  libpython3.12-dev libpython3.12-minimal libpython3.12-stdlib libpython3.12t64 libpython3.12t64-dbg python3.12-dbg python3.12-dev python3.12-doc python3.12-examples python3.12-gdbm python3.12-minimal (... see all)

  python3.12 (3.12.7-1ubuntu1) oracular-security; urgency=medium

  * SECURITY UPDATE: incorrect quoting in venv module
    - debian/patches/CVE-2024-9287.patch: quote template strings in venv
      activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,
      Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,
      Lib/venv/scripts/posix/activate.csh,
      Lib/venv/scripts/posix/activate.fish.
    - CVE-2024-9287

 -- Marc Deslauriers <email address hidden> Wed, 06 Nov 2024 13:29:01 -0500
CVE-2024-9287 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted pro

python3.12 Nov 19th 18:06
Release: noble Repo: universe Level: updates New version: 3.12.3-1ubuntu0.3
Packages in group:  idle-python3.12 libpython3.12-testsuite python3.12-full python3.12-nopie python3.12-venv

  python3.12 (3.12.3-1ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: incorrect quoting in venv module
    - debian/patches/CVE-2024-9287.patch: quote template strings in venv
      activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,
      Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,
      Lib/venv/scripts/posix/activate.csh,
      Lib/venv/scripts/posix/activate.fish.
    - CVE-2024-9287

 -- Marc Deslauriers <email address hidden> Wed, 06 Nov 2024 13:32:19 -0500
CVE-2024-9287 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted pro

python3.12 Nov 19th 18:06
Release: noble Repo: main Level: updates New version: 3.12.3-1ubuntu0.3
Packages in group:  libpython3.12-dev libpython3.12-minimal libpython3.12-stdlib libpython3.12t64 libpython3.12t64-dbg python3.12-dbg python3.12-dev python3.12-doc python3.12-examples python3.12-minimal

  python3.12 (3.12.3-1ubuntu0.3) noble-security; urgency=medium

  * SECURITY UPDATE: incorrect quoting in venv module
    - debian/patches/CVE-2024-9287.patch: quote template strings in venv
      activation scripts in Lib/test/test_venv.py, Lib/venv/__init__.py,
      Lib/venv/scripts/common/activate, Lib/venv/scripts/nt/activate.bat,
      Lib/venv/scripts/posix/activate.csh,
      Lib/venv/scripts/posix/activate.fish.
    - CVE-2024-9287

 -- Marc Deslauriers <email address hidden> Wed, 06 Nov 2024 13:32:19 -0500
CVE-2024-9287 A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted pro


About   -   Send Feedback to @ubuntu_updates