{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "iproute2", "openssh-client", "openssh-server", "openssh-sftp-server" ] } }, "diff": { "deb": [ { "name": "iproute2", "from_version": { "source_package_name": "iproute2", "source_package_version": "5.15.0-1ubuntu2", "version": "5.15.0-1ubuntu2" }, "to_version": { "source_package_name": "iproute2", "source_package_version": "5.15.0-1ubuntu2.1", "version": "5.15.0-1ubuntu2.1" }, "cves": [], "launchpad_bugs_fixed": [ 2125448 ], "changes": [ { "cves": [], "log": [ "", " * Modify tc police to permit burst sizes up greater than 4GB (LP: #2125448)", " - /d/p/2001-lib-Update-backend-of-print_size-to-accept-64-bit-si.patch", " - /d/p/2002-tc-Add-get_size64-and-get_size64_and_cell.patch", " - /d/p/2003-tc-Expand-tc_calc_xmittime-tc_calc_xmitsize-to-u64.patch", " - /d/p/2004-tc-police-enable-use-of-64-bit-burst-parameter.patch ", "" ], "package": "iproute2", "version": "5.15.0-1ubuntu2.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2125448 ], "author": "Jorge Merlino ", "date": "Fri, 03 Oct 2025 10:53:16 -0300" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-client", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.14", "version": "1:8.9p1-3ubuntu0.14" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.15", "version": "1:8.9p1-3ubuntu0.15" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkey.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:38:10 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.14", "version": "1:8.9p1-3ubuntu0.14" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.15", "version": "1:8.9p1-3ubuntu0.15" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkey.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:38:10 -0400" } ], "notes": null, "is_version_downgrade": false }, { "name": "openssh-sftp-server", "from_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.14", "version": "1:8.9p1-3ubuntu0.14" }, "to_version": { "source_package_name": "openssh", "source_package_version": "1:8.9p1-3ubuntu0.15", "version": "1:8.9p1-3ubuntu0.15" }, "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35385", "url": "https://ubuntu.com/security/CVE-2026-35385", "cve_description": "In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode).", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35386", "url": "https://ubuntu.com/security/CVE-2026-35386", "cve_description": "In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35387", "url": "https://ubuntu.com/security/CVE-2026-35387", "cve_description": "OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35388", "url": "https://ubuntu.com/security/CVE-2026-35388", "cve_description": "OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.", "cve_priority": "medium", "cve_public_date": "2026-04-02 17:16:00 UTC" }, { "cve": "CVE-2026-35414", "url": "https://ubuntu.com/security/CVE-2026-35414", "cve_description": "OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.", "cve_priority": "medium", "cve_public_date": "2026-04-02 18:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: unexpected scp setuid and setgid", " - debian/patches/CVE-2026-35385.patch: clear setuid/setgid bits from", " downloaded files in scp.c.", " - CVE-2026-35385", " * SECURITY UPDATE: command execution via shell metacharacters in username", " - debian/patches/CVE-2026-35386-pre1.patch: apply validity rules on", " ProxyJump usernames and hostnames in readconf.c, readconf.h, ssh.c.", " - debian/patches/CVE-2026-35386.patch: move username check earlier in", " ssh.c.", " - CVE-2026-35386", " * SECURITY UPDATE: use of unintended ECDSA algorithms", " - debian/patches/CVE-2026-35387_35414.patch: correctly match ECDSA", " signature algorithms against algorithm allowlists in", " auth2-hostbased.c, auth2-pubkey.c, sshconnect2.c.", " - CVE-2026-35387", " * SECURITY UPDATE: missing connection multiplexing confirmation", " - debian/patches/CVE-2026-35388.patch: add missing askpass check in", " mux.c.", " - CVE-2026-35388", " * SECURITY UPDATE: authorized_keys principals option mishandling", " - debian/patches/CVE-2026-35387_35414.patch: check for commas in", " auth2-pubkey.c.", " - CVE-2026-35414", "" ], "package": "openssh", "version": "1:8.9p1-3ubuntu0.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Mon, 27 Apr 2026 20:38:10 -0400" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20260427 to 20260429", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260427", "to_serial": "20260429", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }