{ "summary": { "snap": { "added": [], "removed": [], "diff": [] }, "deb": { "added": [], "removed": [], "diff": [ "libnss3:s390x", "libpython3.10:s390x", "libpython3.10-minimal:s390x", "libpython3.10-stdlib:s390x", "python3.10", "python3.10-minimal", "sosreport" ] } }, "diff": { "deb": [ { "name": "libnss3:s390x", "from_version": { "source_package_name": "nss", "source_package_version": "2:3.98-0ubuntu0.22.04.2", "version": "2:3.98-0ubuntu0.22.04.2" }, "to_version": { "source_package_name": "nss", "source_package_version": "2:3.98-0ubuntu0.22.04.3", "version": "2:3.98-0ubuntu0.22.04.3" }, "cves": [ { "cve": "CVE-2026-2781", "url": "https://ubuntu.com/security/CVE-2026-2781", "cve_description": "Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.", "cve_priority": "medium", "cve_public_date": "2026-02-24 14:16:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2026-2781", "url": "https://ubuntu.com/security/CVE-2026-2781", "cve_description": "Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.", "cve_priority": "medium", "cve_public_date": "2026-02-24 14:16:00 UTC" } ], "log": [ "", " * SECURITY UPDATE: integer overflow in platform-independent ghash", " - debian/patches/CVE-2026-2781.patch: properly cast len in", " nss/lib/freebl/gcm.c.", " - CVE-2026-2781", "" ], "package": "nss", "version": "2:3.98-0ubuntu0.22.04.3", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Marc Deslauriers ", "date": "Thu, 26 Feb 2026 13:28:10 -0500" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.10:s390x", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.15", "version": "3.10.12-1~22.04.15" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:26:32 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.10-minimal:s390x", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.15", "version": "3.10.12-1~22.04.15" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:26:32 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "libpython3.10-stdlib:s390x", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.15", "version": "3.10.12-1~22.04.15" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:26:32 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.10", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.15", "version": "3.10.12-1~22.04.15" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:26:32 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "python3.10-minimal", "from_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.14", "version": "3.10.12-1~22.04.14" }, "to_version": { "source_package_name": "python3.10", "source_package_version": "3.10.12-1~22.04.15", "version": "3.10.12-1~22.04.15" }, "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "launchpad_bugs_fixed": [], "changes": [ { "cves": [ { "cve": "CVE-2025-15366", "url": "https://ubuntu.com/security/CVE-2025-15366", "cve_description": "The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2025-15367", "url": "https://ubuntu.com/security/CVE-2025-15367", "cve_description": "The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" }, { "cve": "CVE-2026-0865", "url": "https://ubuntu.com/security/CVE-2026-0865", "cve_description": "User-controlled header names and values containing newlines can allow injecting HTTP headers.", "cve_priority": "medium", "cve_public_date": "2026-01-20 22:15:00 UTC" } ], "log": [ "", " * SECURITY REGRESSION: Revert patch for CVE-2025-15366", " - debian/patches/CVE-2025-15366.patch: Reverted. Patch breaks RFC", " 9051 IMAP conformance and introduces behavior regressions avoided", " by upstream.", " - CVE-2025-15366", " * SECURITY REGRESSION: Revert patch for CVE-2025-15367", " - debian/patches/CVE-2025-15367.patch: Reverted to prevent behavior", " regressions, aligning with upstream backporting decisions.", " - CVE-2025-15367", " * SECURITY REGRESSION: Allow HTAB in wsgiref header values", " - debian/patches/CVE-2026-0865-2.patch: Permit HTAB in header values", " (excluding names) in Lib/wsgiref/headers.py, add test coverage.", " - CVE-2026-0865", "" ], "package": "python3.10", "version": "3.10.12-1~22.04.15", "urgency": "medium", "distributions": "jammy-security", "launchpad_bugs_fixed": [], "author": "Vyom Yadav ", "date": "Tue, 03 Mar 2026 17:26:32 +0530" } ], "notes": null, "is_version_downgrade": false }, { "name": "sosreport", "from_version": { "source_package_name": "sosreport", "source_package_version": "4.9.2-0ubuntu0~22.04.1", "version": "4.9.2-0ubuntu0~22.04.1" }, "to_version": { "source_package_name": "sosreport", "source_package_version": "4.10.2-0ubuntu0~22.04.1", "version": "4.10.2-0ubuntu0~22.04.1" }, "cves": [], "launchpad_bugs_fixed": [ 2136302 ], "changes": [ { "cves": [], "log": [ "", " * New 4.10.2 upstream release. (LP: #2136302)", "", " * For more details, full release note is available here:", " - https://github.com/sosreport/sos/releases/tag/4.10.2", "", " * d/control: Add gpg to Recommends so that we are able to encrypt and", " decrypt sos reports", "", " * d/copyright: Aligned copyright with upstream Debian", "", " * Former patch, now fixed:", " - d/p/0002-component-Grab-tmpdir-from-policy.patch", "", " * Remaining patches:", " - d/p/0001-debian-change-tmp-dir-location.patch", "" ], "package": "sosreport", "version": "4.10.2-0ubuntu0~22.04.1", "urgency": "medium", "distributions": "jammy", "launchpad_bugs_fixed": [ 2136302 ], "author": "Dan Emmons ", "date": "Fri, 19 Dec 2025 17:58:00 +0000" } ], "notes": null, "is_version_downgrade": false } ], "snap": [] }, "added": { "deb": [], "snap": [] }, "removed": { "deb": [], "snap": [] }, "notes": "Changelog diff for Ubuntu 22.04 jammy image from daily image serial 20260228 to 20260309", "from_series": "jammy", "to_series": "jammy", "from_serial": "20260228", "to_serial": "20260309", "from_manifest_filename": "daily_manifest.previous", "to_manifest_filename": "manifest.current" }