{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [ "linux-image-6.14.0-37-generic", "linux-modules-6.14.0-37-generic" ], "removed": [ "linux-image-6.14.0-36-generic", "linux-modules-6.14.0-36-generic" ], "diff": [ "linux-image-virtual", "python-apt-common", "python3-apt" ] } }, "diff": { "deb": [ { "name": "linux-image-virtual", "from_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-36.36", "version": "6.14.0-36.36" }, "to_version": { "source_package_name": "linux-meta", "source_package_version": "6.14.0-37.37", "version": "6.14.0-37.37" }, "cves": [], "launchpad_bugs_fixed": [], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-37.37", "" ], "package": "linux-meta", "version": "6.14.0-37.37", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:22:24 +0100" } ], "notes": null, "is_version_downgrade": false }, { "name": "python-apt-common", "from_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0", "version": "3.0.0" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0ubuntu0.25.04.1", "version": "3.0.0ubuntu0.25.04.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "3.0.0ubuntu0.25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:44:00 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3-apt", "from_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0", "version": "3.0.0" }, "to_version": { "source_package_name": "python-apt", "source_package_version": "3.0.0ubuntu0.25.04.1", "version": "3.0.0ubuntu0.25.04.1" }, "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "launchpad_bugs_fixed": [ 2091865 ], "changes": [ { "cves": [ { "cve": "CVE-2025-6966", "url": "https://ubuntu.com/security/CVE-2025-6966", "cve_description": "NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.", "cve_priority": "medium", "cve_public_date": "2025-12-05 13:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: NULL pointer dereference (LP: #2091865)", " - python/tag.cc: check for NULL pointer before dereferencing", " - CVE-2025-6966", "" ], "package": "python-apt", "version": "3.0.0ubuntu0.25.04.1", "urgency": "medium", "distributions": "plucky-security", "launchpad_bugs_fixed": [ 2091865 ], "author": "Sudhakar Verma ", "date": "Fri, 05 Dec 2025 22:44:00 +0530" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [ { "name": "linux-image-6.14.0-37-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-36.36", "version": null }, "to_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-37.37", "version": "6.14.0-37.37" }, "cves": [], "launchpad_bugs_fixed": [ 1786013 ], "changes": [ { "cves": [], "log": [ "", " * Main version: 6.14.0-37.37", "", " * Packaging resync (LP: #1786013)", " - [Packaging] debian/tracking-bug -- resync from main package", "" ], "package": "linux-signed", "version": "6.14.0-37.37", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 1786013 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 18:22:34 +0100" } ], "notes": "linux-image-6.14.0-37-generic version '6.14.0-37.37' (source package linux-signed version '6.14.0-37.37') was added. linux-image-6.14.0-37-generic version '6.14.0-37.37' has the same source package name, linux-signed, as removed package linux-image-6.14.0-36-generic. As such we can use the source package version of the removed package, '6.14.0-36.36', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-37-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-36.36", "version": null }, "to_version": { "source_package_name": "linux", "source_package_version": "6.14.0-37.37", "version": "6.14.0-37.37" }, "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-39946", "url": "https://ubuntu.com/security/CVE-2025-39946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.", "cve_priority": "medium", "cve_public_date": "2025-10-04 08:15:00 UTC" } ], "launchpad_bugs_fixed": [ 2131513, 2115860, 2131046, 2130552, 2121997, 2127676 ], "changes": [ { "cves": [ { "cve": "CVE-2025-39993", "url": "https://ubuntu.com/security/CVE-2025-39993", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 __create_pipe include/linux/usb.h:1945 [inline] send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 vfs_write+0x2d7/0xdd0 fs/read_write.c:576 ksys_write+0x127/0x250 fs/read_write.c:631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The iMON driver improperly releases the usb_device reference in imon_disconnect without coordinating with active users of the device. Specifically, the fields usbdev_intf0 and usbdev_intf1 are not protected by the users counter (ictx->users). During probe, imon_init_intf0 or imon_init_intf1 increments the usb_device reference count depending on the interface. However, during disconnect, usb_put_dev is called unconditionally, regardless of actual usage. As a result, if vfd_write or other operations are still in progress after disconnect, this can lead to a use-after-free of the usb_device pointer. Thread 1 vfd_write Thread 2 imon_disconnect ... if usb_put_dev(ictx->usbdev_intf0) else usb_put_dev(ictx->usbdev_intf1) ... while send_packet if pipe = usb_sndintpipe( ictx->usbdev_intf0) UAF else pipe = usb_sndctrlpipe( ictx->usbdev_intf0, 0) UAF Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in send_packet(), vfd_write(), lcd_write() and display_open() if the device is no longer present. Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations. Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.", "cve_priority": "medium", "cve_public_date": "2025-10-15 08:15:00 UTC" }, { "cve": "CVE-2025-40018", "url": "https://ubuntu.com/security/CVE-2025-40018", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: ipvs: Defer ip_vs_ftp unregister during netns cleanup On the netns cleanup path, __ip_vs_ftp_exit() may unregister ip_vs_ftp before connections with valid cp->app pointers are flushed, leading to a use-after-free. Fix this by introducing a global `exiting_module` flag, set to true in ip_vs_ftp_exit() before unregistering the pernet subsystem. In __ip_vs_ftp_exit(), skip ip_vs_ftp unregister if called during netns cleanup (when exiting_module is false) and defer it to __ip_vs_cleanup_batch(), which unregisters all apps after all connections are flushed. If called during module exit, unregister ip_vs_ftp immediately.", "cve_priority": "medium", "cve_public_date": "2025-10-24 12:15:00 UTC" }, { "cve": "CVE-2025-39964", "url": "https://ubuntu.com/security/CVE-2025-39964", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing.", "cve_priority": "medium", "cve_public_date": "2025-10-13 14:15:00 UTC" }, { "cve": "CVE-2025-39946", "url": "https://ubuntu.com/security/CVE-2025-39946", "cve_description": "In the Linux kernel, the following vulnerability has been resolved: tls: make sure to abort the stream if headers are bogus Normally we wait for the socket to buffer up the whole record before we service it. If the socket has a tiny buffer, however, we read out the data sooner, to prevent connection stalls. Make sure that we abort the connection when we find out late that the record is actually invalid. Retrying the parsing is fine in itself but since we copy some more data each time before we parse we can overflow the allocated skb space. Constructing a scenario in which we're under pressure without enough data in the socket to parse the length upfront is quite hard. syzbot figured out a way to do this by serving us the header in small OOB sends, and then filling in the recvbuf with a large normal send. Make sure that tls_rx_msg_size() aborts strp, if we reach an invalid record there's really no way to recover.", "cve_priority": "medium", "cve_public_date": "2025-10-04 08:15:00 UTC" } ], "log": [ "", " * plucky/linux: 6.14.0-37.37 -proposed tracker (LP: #2131513)", "", " * Poweroff not working consistently after upgrading kernel 6.14.0-17.17 or", " later (LP: #2115860)", " - drm/amd: Unify shutdown() callback behavior", " - drm/amd: Stop exporting amdgpu_device_ip_suspend() outside amdgpu_device", " - drm/amd: Remove comment about handling errors in", " amdgpu_device_ip_suspend_phase1()", " - drm/amd: Don't always set IP block HW status to false", " - drm/amd: Pass IP suspend errors up to callers", " - drm/amd: Avoid evicting resources at S5", "", " * CAP_PERFMON insufficient to get perf data (LP: #2131046)", " - SAUCE: perf/core: Allow CAP_PERFMON for paranoid level 4", "", " * i40e driver is triggering VF resets on every link state change", " (LP: #2130552)", " - i40e: avoid redundant VF link state updates", "", " * kernel: sysfs: cannot create duplicate filename", " '/bus/platform/devices/iTCO_wdt' (LP: #2121997)", " - i2c: i801: Hide Intel Birch Stream SoC TCO WDT", "", " * Fix incorrect bug number for CONFIG_KERNEL_ZSTD (LP: #2127676)", " - [Config] Fix bug note for CONFIG_KERNEL_ZSTD", "", " * CVE-2025-39993", " - media: rc: fix races with imon_disconnect()", "", " * CVE-2025-40018", " - ipvs: Defer ip_vs_ftp unregister during netns cleanup", "", " * CVE-2025-39964", " - crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg", " - crypto: af_alg - Fix incorrect boolean values in af_alg_ctx", "", " * CVE-2025-39946", " - tls: make sure to abort the stream if headers are bogus", "" ], "package": "linux", "version": "6.14.0-37.37", "urgency": "medium", "distributions": "plucky", "launchpad_bugs_fixed": [ 2131513, 2115860, 2131046, 2130552, 2121997, 2127676 ], "author": "Manuel Diewald ", "date": "Fri, 14 Nov 2025 17:52:55 +0100" } ], "notes": "linux-modules-6.14.0-37-generic version '6.14.0-37.37' (source package linux version '6.14.0-37.37') was added. linux-modules-6.14.0-37-generic version '6.14.0-37.37' has the same source package name, linux, as removed package linux-modules-6.14.0-36-generic. As such we can use the source package version of the removed package, '6.14.0-36.36', as the starting point in our changelog diff. Kernel packages are an example of where the binary package name changes for the same source package. Using the removed package source package version as our starting point means we can still get meaningful changelog diffs even for what appears to be a new package.", "is_version_downgrade": false } ], "snap": [] }, "removed": { "deb": [ { "name": "linux-image-6.14.0-36-generic", "from_version": { "source_package_name": "linux-signed", "source_package_version": "6.14.0-36.36", "version": "6.14.0-36.36" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false }, { "name": "linux-modules-6.14.0-36-generic", "from_version": { "source_package_name": "linux", "source_package_version": "6.14.0-36.36", "version": "6.14.0-36.36" }, "to_version": { "source_package_name": null, "source_package_version": null, "version": null }, "cves": [], "launchpad_bugs_fixed": [], "changes": [], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "notes": "Changelog diff for Ubuntu 25.04 plucky image from daily image serial 20251205 to 20251210", "from_series": "plucky", "to_series": "plucky", "from_serial": "20251205", "to_serial": "20251210", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }