{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "libpython3.11:riscv64", "libpython3.11-minimal:riscv64", "libpython3.11-stdlib:riscv64", "python3.11", "python3.11-minimal", "tzdata", "tzdata-icu" ] } }, "diff": { "deb": [ { "name": "libpython3.11:riscv64", "from_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3", "version": "3.11.6-3" }, "to_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3ubuntu0.1", "version": "3.11.6-3ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect permission assignment", " - debian/patches/CVE-2023-6597.patch: fix symlink bug in cleanup.", " - CVE-2023-6597", " * SECURITY UPDATE: Zip-Bombs with overlap entries", " - debian/patches/CVE-2024-0450.patch: Protect zipfile from", " \"quoted-overlap\" zipbomb. Raise BadZipFile when try to read an", " entry that overlaps with other entry or central directory.", " - CVE-2024-0450", "" ], "package": "python3.11", "version": "3.11.6-3ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Wed, 10 Apr 2024 18:26:07 +0100" } ], "notes": null }, { "name": "libpython3.11-minimal:riscv64", "from_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3", "version": "3.11.6-3" }, "to_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3ubuntu0.1", "version": "3.11.6-3ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect permission assignment", " - debian/patches/CVE-2023-6597.patch: fix symlink bug in cleanup.", " - CVE-2023-6597", " * SECURITY UPDATE: Zip-Bombs with overlap entries", " - debian/patches/CVE-2024-0450.patch: Protect zipfile from", " \"quoted-overlap\" zipbomb. Raise BadZipFile when try to read an", " entry that overlaps with other entry or central directory.", " - CVE-2024-0450", "" ], "package": "python3.11", "version": "3.11.6-3ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Wed, 10 Apr 2024 18:26:07 +0100" } ], "notes": null }, { "name": "libpython3.11-stdlib:riscv64", "from_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3", "version": "3.11.6-3" }, "to_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3ubuntu0.1", "version": "3.11.6-3ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect permission assignment", " - debian/patches/CVE-2023-6597.patch: fix symlink bug in cleanup.", " - CVE-2023-6597", " * SECURITY UPDATE: Zip-Bombs with overlap entries", " - debian/patches/CVE-2024-0450.patch: Protect zipfile from", " \"quoted-overlap\" zipbomb. Raise BadZipFile when try to read an", " entry that overlaps with other entry or central directory.", " - CVE-2024-0450", "" ], "package": "python3.11", "version": "3.11.6-3ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Wed, 10 Apr 2024 18:26:07 +0100" } ], "notes": null }, { "name": "python3.11", "from_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3", "version": "3.11.6-3" }, "to_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3ubuntu0.1", "version": "3.11.6-3ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect permission assignment", " - debian/patches/CVE-2023-6597.patch: fix symlink bug in cleanup.", " - CVE-2023-6597", " * SECURITY UPDATE: Zip-Bombs with overlap entries", " - debian/patches/CVE-2024-0450.patch: Protect zipfile from", " \"quoted-overlap\" zipbomb. Raise BadZipFile when try to read an", " entry that overlaps with other entry or central directory.", " - CVE-2024-0450", "" ], "package": "python3.11", "version": "3.11.6-3ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Wed, 10 Apr 2024 18:26:07 +0100" } ], "notes": null }, { "name": "python3.11-minimal", "from_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3", "version": "3.11.6-3" }, "to_version": { "source_package_name": "python3.11", "source_package_version": "3.11.6-3ubuntu0.1", "version": "3.11.6-3ubuntu0.1" }, "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2023-6597", "url": "https://ubuntu.com/security/CVE-2023-6597", "cve_description": "An issue was found in the CPython `tempfile.TemporaryDirectory` class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" }, { "cve": "CVE-2024-0450", "url": "https://ubuntu.com/security/CVE-2024-0450", "cve_description": "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.", "cve_priority": "medium", "cve_public_date": "2024-03-19 16:15:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: incorrect permission assignment", " - debian/patches/CVE-2023-6597.patch: fix symlink bug in cleanup.", " - CVE-2023-6597", " * SECURITY UPDATE: Zip-Bombs with overlap entries", " - debian/patches/CVE-2024-0450.patch: Protect zipfile from", " \"quoted-overlap\" zipbomb. Raise BadZipFile when try to read an", " entry that overlaps with other entry or central directory.", " - CVE-2024-0450", "" ], "package": "python3.11", "version": "3.11.6-3ubuntu0.1", "urgency": "medium", "distributions": "mantic-security", "launchpad_bugs_fixed": [], "author": "Allen Huang ", "date": "Wed, 10 Apr 2024 18:26:07 +0100" } ], "notes": null }, { "name": "tzdata", "from_version": { "source_package_name": "tzdata", "source_package_version": "2024a-0ubuntu0.23.10", "version": "2024a-0ubuntu0.23.10" }, "to_version": { "source_package_name": "tzdata", "source_package_version": "2024a-0ubuntu0.23.10.1", "version": "2024a-0ubuntu0.23.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2055718 ], "changes": [ { "cves": [], "log": [ "", " * Do not replace CET, CST6CDT, EET, EST*, HST, MET, MST*, PST8PDT, WET.", " The replacements differed in using daylight saving. (LP: #2055718)", " * Fix updating US/Indiana-Starke to America/Indiana/Knox", " * Correct timezone symlinks when using BACKWARD=backward PACKRATDATA=backzone", " to fix (at least) the timezone symlinks Africa/Asmera,", " Antarctica/South_Pole, Iceland, Pacific/Ponape, and Pacific/Truk.", " * test_timezone_conversions: Check symlink targets", " * d/rules: Support creating symlinks pointing to symlinks", "" ], "package": "tzdata", "version": "2024a-0ubuntu0.23.10.1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2055718 ], "author": "Benjamin Drung ", "date": "Fri, 03 May 2024 17:21:06 +0200" } ], "notes": null }, { "name": "tzdata-icu", "from_version": { "source_package_name": "tzdata", "source_package_version": "2024a-0ubuntu0.23.10", "version": "2024a-0ubuntu0.23.10" }, "to_version": { "source_package_name": "tzdata", "source_package_version": "2024a-0ubuntu0.23.10.1", "version": "2024a-0ubuntu0.23.10.1" }, "cves": [], "launchpad_bugs_fixed": [ 2055718 ], "changes": [ { "cves": [], "log": [ "", " * Do not replace CET, CST6CDT, EET, EST*, HST, MET, MST*, PST8PDT, WET.", " The replacements differed in using daylight saving. (LP: #2055718)", " * Fix updating US/Indiana-Starke to America/Indiana/Knox", " * Correct timezone symlinks when using BACKWARD=backward PACKRATDATA=backzone", " to fix (at least) the timezone symlinks Africa/Asmera,", " Antarctica/South_Pole, Iceland, Pacific/Ponape, and Pacific/Truk.", " * test_timezone_conversions: Check symlink targets", " * d/rules: Support creating symlinks pointing to symlinks", "" ], "package": "tzdata", "version": "2024a-0ubuntu0.23.10.1", "urgency": "medium", "distributions": "mantic", "launchpad_bugs_fixed": [ 2055718 ], "author": "Benjamin Drung ", "date": "Fri, 03 May 2024 17:21:06 +0200" } ], "notes": null } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 23.10 mantic image from daily image serial 20240701 to 20240710", "from_series": "mantic", "to_series": "mantic", "from_serial": "20240701", "to_serial": "20240710", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }