{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "xxd" ] } }, "diff": { "deb": [ { "name": "xxd", "from_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.11", "version": "2:9.1.0016-1ubuntu7.11" }, "to_version": { "source_package_name": "vim", "source_package_version": "2:9.1.0016-1ubuntu7.12", "version": "2:9.1.0016-1ubuntu7.12" }, "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-35177", "url": "https://ubuntu.com/security/CVE-2026-35177", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.", "cve_priority": "medium", "cve_public_date": "2026-04-06 18:16:00 UTC" }, { "cve": "CVE-2026-39881", "url": "https://ubuntu.com/security/CVE-2026-39881", "cve_description": "Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.", "cve_priority": "medium", "cve_public_date": "2026-04-08 21:17:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: Path Traversal in zip.vim", " - debian/patches/CVE-2026-35177.patch: Detect malicious zip files before", " writing in runtime/autoload/zip.vim", " - CVE-2026-35177", " * SECURITY UPDATE: Command Injection in netbeans", " - debian/patches/CVE-2026-39881.patch: Validate typename, fg, and bg", " before passing to coloncmd in src/netbeans.c", " - CVE-2026-39881", "" ], "package": "vim", "version": "2:9.1.0016-1ubuntu7.12", "urgency": "medium", "distributions": "noble-security", "launchpad_bugs_fixed": [], "author": "Kyle Kernick ", "date": "Fri, 24 Apr 2026 13:05:03 -0600" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 24.04 noble image from daily image serial 20260422 to 20260428", "from_series": "noble", "to_series": "noble", "from_serial": "20260422", "to_serial": "20260428", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }