Unix News Tutorials Events and Stuff

Tuesday, April 21, 2026

FreeBSD Errata Notice FreeBSD-EN-26:07.pkgbase

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:07.pkgbase Errata Notice The FreeBSD Project Topic: Base packages fail to build with newer versions of libucl Category: core Module: packages Announced: 2026-04-21 Affects: FreeBSD 15.0 Corrected: 2026-04-07 11:27:02 UTC (stable/15, 15.0-STABLE) 2026-04-21 15:44:26 UTC (releng/15.0, 15.0-RELEASE-p6) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The libucl library is used for parsing documents in the UCL markup format. The base system private Lua (flua) exposes libucl to Lua applications via the "ucl" module. II. Problem Description In libucl version 0.9.3, an API change was made in the Lua ucl module to prohibit the use of certain syntax by default, specifically the ".include" directive. This change causes the base system package build ("make update-packages") to fail when the host system is using libucl 0.9.3 or later. III. Impact Future versions of FreeBSD, which include libucl 0.9.3 or later, will be unable to build FreeBSD 15.0 base system packages from source. IV. Workaround No workaround is available. V. Solution Update the base system source tree to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No action is required on the host (build) system. To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:07/pkgbase.patch # fetch https://security.FreeBSD.org/patches/EN-26:07/pkgbase.patch.asc # gpg --verify pkgbase.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 976b2ebf4309 stable/15-n282865 releng/15.0/ f3bbb238daa1 releng/15.0-n281021 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:07.pkgbase.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoaEACgkQbljekB8A Gu9oRhAAog+a+4hJ3OtOel1VVHOgB+JrKfKQHedMitP5RDZAy0e3tWBkm2lKXitv akZIxFeqmJufBtZRQQSqa9Y9GSFklYHOXh+p/YvObshgkyXijHt+6DtcMtQEmryd ZDSpVxBpmFP/taGHO7KdSOYuhoyaF5zYUzbuh62AlYHWD/48TPCyBWnEBzcPrGXz Ew3FltDqKwtccACBZyI9VZFUMCTfCQeaOxB41zEhNGAbxu9DAmpD1t3e5kxHr8ji imFRVwi0CsKvB9JGcU5BXKU1YtmG4hXEl9CvacNwxOFGjONB+MYZCNfdNXA9SDjn 9fRhz1TzVcFN6i4zWgu2YCV8id5YtaFQuYYjLZQczWgtoNKxBhqpEjeNGKTp1YIb kwCdF+K+bbLPdtOl6w8E7q3Ksm7AluwbtjJaXskABgUYfXTSDlo6N/HHFd8WNRM0 +u+XZ/DRhpgNVUDlQJU2XhfYKQyGyd3H//ZtD+ExQeMnTQYASBll3t6hhHx5wTWo ZHpWJ1dUTZfv0vJMcNrIF0H81AgTigA6Saq4OrIYiec/4HBAIs+MeVO0oWCvF0bs 0g67n6+1Kxz29mXi2nWIbFmILZGEYq3J0y+hEJsr8gmRBgmWpFQJBOYUHXnZwYUG q4YDpXvE9WWKATm/KB3clAd08QQej26P+Qow0ck1Gq17aPWCL6w= =jKUS -----END PGP SIGNATURE-----

FreeBSD Errata Notice FreeBSD-EN-26:06.timerfd

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:06.timerfd Errata Notice The FreeBSD Project Topic: Periodic timerfd(2) timers may produce incorrect results Category: core Module: timerfd Announced: 2026-04-21 Affects: FreeBSD 14.3 and later. Corrected: 2026-04-03 15:26:14 UTC (stable/15, 15.0-STABLE) 2026-04-21 15:44:25 UTC (releng/15.0, 15.0-RELEASE-p6) 2026-04-03 15:27:26 UTC (stable/14, 14.4-STABLE) 2026-04-21 15:45:30 UTC (releng/14.4, 14.4-RELEASE-p2) 2026-04-21 15:46:00 UTC (releng/14.3, 14.3-RELEASE-p11) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The timerfd(2) family of system calls provides a file descriptor-based interface for managing timers. II. Problem Description timerfd(2) implements periodic timers. The implementation had a bug which caused it to fire too early in some cases. III. Impact The bug has been observed to cause excessive CPU usage in some applications, particularly in some KDE desktop programs. IV. Workaround No workaround is available. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r now 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:06/timerfd.patch # fetch https://security.FreeBSD.org/patches/EN-26:06/timerfd.patch.asc # gpg --verify timerfd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 9b785380f307 stable/15-n282826 releng/15.0/ b0be1af0c48b releng/15.0-n281020 stable/14/ 3c00f603a280 stable/14-n273878 releng/14.4/ df8d2f945028 releng/14.4-n273684 releng/14.3/ f37c6e3a133e releng/14.3-n271484 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293368> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:06.timerfd.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoZ8ACgkQbljekB8A Gu9aeRAA28qaGYm351M3YdLLoo6XeT5iklKRCvPPZoIJtoP5V9UPUkW6NFkpYUqp 7sB3VrZ5xPImfCK1o6qE0oT9lnXqQZnGoPyqwoUJwcmRmLY/Js2s1zzn5q7qqdw0 L/LseIFkvRelhy3KYSO9xnxm/eNQj/A0YK8w/Hi1tM0KR2IBtUjYVMKDvWLrPENH z+mhlDBOCX1rbSz/E87WAZxZfarBG5XaGIytoBla8IEEsgaARVKr6iYqZaX17ZIZ u0UgedQ38pQK0QQDhBE26gxwDu+2AZYo0SxdRXnVDkXUOgGkCoiGInyPLVQtrVcb rmojbUDGDGbwraNkrUZ6wZjKJEArVJ9eC13AROSRc9vAneG3z2i52YaOGURrOZui 7yzj2d0SyglWhlV6sG/rJUAuTV7XB53JqzNyzLFm2tK3tlxOBMOEJp/qm0QG4sL/ chXc/VIu8VqXeb3MmHtyWrMW+0hoLKI7pBVFdISiefjLRMHVscUZp3Ph7xvZT3GT +hpvkMz2cp2CSn/N7+qHnEpoP8tgXPEneRPj3MgE0F6pqm3nVx/tAhoUBo9HYBRc J6zWq5wkyRzIej6OFUM6gT3xRLeNLEODpDyKkcwanh9nvITVB7QbfmmC0E3fUfYM NSGmlRNwnS9Nsuz0uF5Fj3gxEyhBMkBMfHRqV9rPimHgThrWcLM= =omqs -----END PGP SIGNATURE-----

FreeBSD Errata Notice FreeBSD-EN-26:05.vm

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:05.vm Errata Notice The FreeBSD Project Topic: The page fault handler fails to zero memory Category: core Module: vm Announced: 2026-04-21 Affects: All supported versions of FreeBSD. Corrected: 2026-04-13 10:57:44 UTC (stable/15, 15.0-STABLE) 2026-04-21 15:44:24 UTC (releng/15.0, 15.0-RELEASE-p6) 2026-04-13 02:56:40 UTC (stable/14, 14.4-STABLE) 2026-04-21 15:45:29 UTC (releng/14.4, 14.4-RELEASE-p2) 2026-04-21 15:45:59 UTC (releng/14.3, 14.3-RELEASE-p11) 2026-04-13 02:58:42 UTC (stable/13, 13.5-STABLE) 2026-04-21 15:47:06 UTC (releng/13.5, 13.5-RELEASE-p12) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The mmap(2) system call allows applications and system libraries to allocate heap memory using the MAP_ANON flag. The system call allocates virtual memory in the calling thread's address space and phyiscal memory is allocated on demand as page faults occur. Memory allocated this way is allocated to be zero-filled. II. Problem Description Due to a regression introduced a previous erratum which attempted to fix a similar problem, under some conditions, particularly heavy memory pressure with swapping, the phyiscal pages allocated and mapped by the kernel may not be zero-filled. III. Impact This bug has been observed to cause process crashes. IV. Workaround No workaround is available. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r now 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/EN-26:05/vm-15.patch # fetch https://security.FreeBSD.org/patches/EN-26:05/vm-15.patch.asc # gpg --verify vm-15.patch.asc [FreeBSD 14.4 and 14.3] # fetch https://security.FreeBSD.org/patches/EN-26:05/vm-14.patch # fetch https://security.FreeBSD.org/patches/EN-26:05/vm-14.patch.asc # gpg --verify vm-14.patch.asc [FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/EN-26:05/vm-13.patch # fetch https://security.FreeBSD.org/patches/EN-26:05/vm-13.patch.asc # gpg --verify vm-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 58718cf36593 stable/15-n282974 releng/15.0/ ffb21713d9fd releng/15.0-n281019 stable/14/ 9b7c0f4f81f0 stable/14-n273947 releng/14.4/ 1abe7ead45c3 releng/14.4-n273683 releng/14.3/ 4d22b3925df8 releng/14.3-n271483 stable/13/ 50f7b62f0862 stable/13-n259839 releng/13.5/ 6c9dd7528350 releng/13.5-n259209 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294039> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:05.vm.asc> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoZoACgkQbljekB8A Gu+Nvg/+Nac6V7x8ELgRlc0dJfzvEeQgxfcu1acAfpr8Bskew+0c8vjwB1dmBAMp ENDYyI4+kgVFTG+i6KvFVEISTtlji6VWEul4BBgYow93Auk/S492mvOfaQapnW7V 31hjo0jBrT+ZsBW/inRgjy7QQpukqFiz2+aaXjFs8Q426gmW0SizgOFWinVcWaI1 /xbp5mQ76VnoPMda5+8VDU4NImqcCTUNsUbsfUGLUjYlFhbVR96BODTYIyxB7lsp +seXVbnk4SdkRwOVXotoCvi2nhnuVc4P3tmUvpmiuOjRQpvAA43VLbgrQJeZjwad Xda8vzwScbhHZtkrQ5CqInH+4eSLbPYsz3ST1TGKCMh1GwKzQ1b2hqJ52QKHDYbM NMl5/PhRcfpQNU2dbJqo2X16weowu4N/fSfMPSZrJE7TBdPqBSK/M1bKk/5nBmga 68PLhPPV/q8MbIaf7+19dGO1vsRiM/XpX0IF4XWwURs+ScQCJom1LXX7bQUv+2N/ i5iPF+JS+PIUsNgwLBz/oR15nyNpZf6kl+ZAKLlZcHdlW1kFHzDW/4DGcIM1Kvx6 hpwCYx7othSMy6tSxenOM8DLBx2fvvdtxTE+aSRwgnYjxSFquZkN6iSJZ2TP2LnY koDdRwMajUcxXXB/+RmaoP3/yqK3v156ilntTmolipfMEocGtnE= =JBjP -----END PGP SIGNATURE-----

[USN-8191-1] Apache Commons IO vulnerability

========================================================================== Ubuntu Security Notice USN-8191-1 April 21, 2026 commons-io vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Apache Commons IO could be made to crash if it received specially crafted input. Software Description: - commons-io: library of utilities to assist with developing IO functionality Details: It was discovered that Apache Commons IO's XmlStreamReader class could excessively consume CPU resources under certain circumstances. An attacker could possibly use this issue to cause Apache Commons IO to crash, resulting in a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libcommons-io-java 2.11.0-2ubuntu0.24.04.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS libcommons-io-java 2.11.0-2ubuntu0.22.04.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS libcommons-io-java 2.6-2ubuntu0.20.04.1+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS libcommons-io-java 2.6-2ubuntu0.18.04.1+esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS libcommons-io-java 2.4-2ubuntu0.16.04.1~esm1 Available with Ubuntu Pro Ubuntu 14.04 LTS libcommons-io-java 2.4-2ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8191-1 CVE-2024-47554

[USN-8189-1] RapidJSON vulnerability

========================================================================== Ubuntu Security Notice USN-8189-1 April 20, 2026 rapidjson vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: RapidJSON could be made to crash or run programs as an administrator if it opened a specially crafted file. Software Description: - rapidjson: A fast JSON parser/generator for C++ Details: It was discovered that RapidJSON did not properly protect against integer overflows in certain instances when parsing JSON text. A remote attacker could possibly use this issue to craft a malicious JSON file, that when read by RapidJSON, would lead to an elevation of privilege, resulting in the potential disclosure of sensitive information. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS rapidjson-dev 1.1.0+dfsg2-7.2ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 22.04 LTS rapidjson-dev 1.1.0+dfsg2-7ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 20.04 LTS rapidjson-dev 1.1.0+dfsg2-5ubuntu1+esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS rapidjson-dev 1.1.0+dfsg2-3ubuntu0.1~esm2 Available with Ubuntu Pro Ubuntu 16.04 LTS rapidjson-dev 0.12~git20141031-3ubuntu0.1~esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8189-1 CVE-2024-39684

[USN-8193-1] libcap vulnerability

========================================================================== Ubuntu Security Notice USN-8193-1 April 21, 2026 libcap2 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: libcap could be made to modify capabilities on arbitrary files. Software Description: - libcap2: POSIX 1003.1e capabilities library Details: Ali Raza discovered that libcap incorrectly handled file capability updates. A local attacker could possibly use this issue to inject or strip capabilities into arbitrary executables and escalate privileges. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 libcap2 1:2.75-7ubuntu2.2 libcap2-bin 1:2.75-7ubuntu2.2 Ubuntu 24.04 LTS libcap2 1:2.66-5ubuntu2.4 libcap2-bin 1:2.66-5ubuntu2.4 Ubuntu 22.04 LTS libcap2 1:2.44-1ubuntu0.22.04.3 libcap2-bin 1:2.44-1ubuntu0.22.04.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8193-1 CVE-2026-4878 Package Information: https://launchpad.net/ubuntu/+source/libcap2/1:2.75-7ubuntu2.2 https://launchpad.net/ubuntu/+source/libcap2/1:2.66-5ubuntu2.4 https://launchpad.net/ubuntu/+source/libcap2/1:2.44-1ubuntu0.22.04.3

[USN-8192-1] NTFS-3G vulnerabilities

========================================================================== Ubuntu Security Notice USN-8192-1 April 21, 2026 ntfs-3g vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in NTFS-3G. Software Description: - ntfs-3g: read/write NTFS driver for FUSE Details: Jeffrey Bencteux discovered that NTFS-3G incorrectly handled certain UTF-8 sequences. An attacker could use this issue to cause NTFS-3G to crash, resulting in a denial of service, or to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2023-52890) Andrea Bocchetti discovered that NTFS-3G incorrectly handled certain security descriptors. An attacker could use this issue to cause NTFS-3G to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2026-40706) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.10 ntfs-3g 1:2022.10.3-5ubuntu0.25.10.1 Ubuntu 24.04 LTS ntfs-3g 1:2022.10.3-1.2ubuntu3.1 Ubuntu 22.04 LTS ntfs-3g 1:2021.8.22-3ubuntu1.3 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8192-1 CVE-2023-52890, CVE-2026-40706 Package Information: https://launchpad.net/ubuntu/+source/ntfs-3g/1:2022.10.3-5ubuntu0.25.10.1 https://launchpad.net/ubuntu/+source/ntfs-3g/1:2022.10.3-1.2ubuntu3.1 https://launchpad.net/ubuntu/+source/ntfs-3g/1:2021.8.22-3ubuntu1.3

OpenBSD Errata: April 21, 2026 (libxpm slaacd)

Errata patches for X11 libXpm and IPv6 slaacd have been released for OpenBSD 7.7 and 7.8. Binary updates for the amd64, arm64 and i386 platform are available via the syspatch utility. Source code patches can be found on the respective errata page: https://www.openbsd.org/errata77.html https://www.openbsd.org/errata78.html

Sunday, April 19, 2026

[USN-8179-2] Linux kernel (FIPS) vulnerabilities

========================================================================== Ubuntu Security Notice USN-8179-2 April 17, 2026 linux-aws-fips, linux-fips, linux-gcp-fips vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-aws-fips: Linux kernel for Amazon Web Services (AWS) systems with FIPS - linux-fips: Linux kernel with FIPS - linux-gcp-fips: Linux kernel for Google Cloud Platform (GCP) systems with FIPS Details: Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo discovered that some AMD Zen processors did not properly verify the signature of CPU microcode. This flaw is known as EntrySign. A privileged attacker could possibly use this issue to cause load malicious CPU microcode causing loss of integrity and confidentiality. (CVE-2024-36347) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - MIPS architecture; - PowerPC architecture; - x86 architecture; - Block layer subsystem; - Cryptographic API; - ACPI drivers; - Network block device driver; - Bluetooth drivers; - Character device driver; - TPM device driver; - Clock framework and drivers; - Data acquisition framework and drivers; - Hardware crypto device drivers; - GPU drivers; - Hardware monitoring drivers; - InfiniBand drivers; - Input Device core drivers; - IOMMU subsystem; - IRQ chip drivers; - Macintosh device drivers; - Multiple devices driver; - Media drivers; - Network drivers; - Mellanox network drivers; - STMicroelectronics network drivers; - Ethernet team driver; - MediaTek network drivers; - NVME drivers; - PA-RISC drivers; - Chrome hardware platform drivers; - x86 platform drivers; - Voltage and Current Regulator drivers; - SCSI subsystem; - SPI subsystem; - Media Oriented Systems Transport (MOST) driver; - Realtek RTL8723BS SDIO drivers; - TCM subsystem; - USB Host Controller drivers; - USB Type-C Connector System Software Interface driver; - Backlight driver; - Watchdog drivers; - BFS file system; - BTRFS file system; - Ext4 file system; - F2FS file system; - FUSE (File system in Userspace); - HFS+ file system; - File systems infrastructure; - Journaling layer for block devices (JBD2); - Network file system (NFS) client; - File system notification infrastructure; - NTFS3 file system; - OCFS2 file system; - SMB network file system; - BPF subsystem; - Ethernet bridge; - io_uring subsystem; - Locking primitives; - Scheduler infrastructure; - Shadow Call Stack mechanism; - Tracing infrastructure; - Memory management; - CAIF protocol; - Ceph Core library; - Networking core; - Ethtool driver; - Handshake API; - HSR network protocol; - IPv4 networking; - IPv6 networking; - MAC80211 subsystem; - Multipath TCP; - Netfilter; - NET/ROM layer; - NFC subsystem; - Open vSwitch; - Rose network layer; - Network traffic control; - Network sockets; - Sun RPC protocol; - Integrity Measurement Architecture(IMA) framework; - Key management; - Simplified Mandatory Access Control Kernel framework; - FireWire sound drivers; - HD-audio driver; - Turtle Beach Wavefront ALSA driver; - STMicroelectronics SoC drivers; - USB sound devices; - KVM subsystem; (CVE-2024-57795, CVE-2025-22022, CVE-2025-22111, CVE-2025-38022, CVE-2025-38234, CVE-2025-40164, CVE-2025-40325, CVE-2025-68206, CVE-2025-68254, CVE-2025-68255, CVE-2025-68256, CVE-2025-68257, CVE-2025-68258, CVE-2025-68259, CVE-2025-68261, CVE-2025-68263, CVE-2025-68264, CVE-2025-68265, CVE-2025-68266, CVE-2025-68291, CVE-2025-68325, CVE-2025-68332, CVE-2025-68335, CVE-2025-68336, CVE-2025-68337, CVE-2025-68344, CVE-2025-68345, CVE-2025-68346, CVE-2025-68347, CVE-2025-68349, CVE-2025-68354, CVE-2025-68362, CVE-2025-68363, CVE-2025-68364, CVE-2025-68366, CVE-2025-68367, CVE-2025-68369, CVE-2025-68371, CVE-2025-68372, CVE-2025-68374, CVE-2025-68378, CVE-2025-68379, CVE-2025-68380, CVE-2025-68724, CVE-2025-68727, CVE-2025-68728, CVE-2025-68732, CVE-2025-68733, CVE-2025-68740, CVE-2025-68741, CVE-2025-68742, CVE-2025-68744, CVE-2025-68746, CVE-2025-68753, CVE-2025-68755, CVE-2025-68756, CVE-2025-68757, CVE-2025-68758, CVE-2025-68759, CVE-2025-68763, CVE-2025-68764, CVE-2025-68765, CVE-2025-68766, CVE-2025-68767, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68782, CVE-2025-68783, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68804, CVE-2025-68806, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71071, CVE-2025-71072, CVE-2025-71075, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71088, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71116, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71125, CVE-2025-71126, CVE-2025-71127, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71141, CVE-2025-71143, CVE-2025-71144, CVE-2025-71147, CVE-2025-71148, CVE-2025-71149, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2026-23209) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS linux-image-6.8.0-1052-aws-fips 6.8.0-1052.55+fips1 Available with Ubuntu Pro linux-image-6.8.0-1054-gcp-fips 6.8.0-1054.57+fips1 Available with Ubuntu Pro linux-image-6.8.0-110-fips 6.8.0-110.110+fips2 Available with Ubuntu Pro linux-image-aws-fips 6.8.0-1052.55+fips1 Available with Ubuntu Pro linux-image-aws-fips-6.8 6.8.0-1052.55+fips1 Available with Ubuntu Pro linux-image-fips 6.8.0-110.110+fips2 Available with Ubuntu Pro linux-image-fips-6.8 6.8.0-110.110+fips2 Available with Ubuntu Pro linux-image-gcp-fips 6.8.0-1054.57+fips1 Available with Ubuntu Pro linux-image-gcp-fips-6.8 6.8.0-1054.57+fips1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8179-2 https://ubuntu.com/security/notices/USN-8179-1 CVE-2024-36347, CVE-2024-57795, CVE-2025-22022, CVE-2025-22111, CVE-2025-38022, CVE-2025-38234, CVE-2025-40164, CVE-2025-40325, CVE-2025-68206, CVE-2025-68254, CVE-2025-68255, CVE-2025-68256, CVE-2025-68257, CVE-2025-68258, CVE-2025-68259, CVE-2025-68261, CVE-2025-68263, CVE-2025-68264, CVE-2025-68265, CVE-2025-68266, CVE-2025-68291, CVE-2025-68325, CVE-2025-68332, CVE-2025-68335, CVE-2025-68336, CVE-2025-68337, CVE-2025-68344, CVE-2025-68345, CVE-2025-68346, CVE-2025-68347, CVE-2025-68349, CVE-2025-68354, CVE-2025-68362, CVE-2025-68363, CVE-2025-68364, CVE-2025-68366, CVE-2025-68367, CVE-2025-68369, CVE-2025-68371, CVE-2025-68372, CVE-2025-68374, CVE-2025-68378, CVE-2025-68379, CVE-2025-68380, CVE-2025-68724, CVE-2025-68727, CVE-2025-68728, CVE-2025-68732, CVE-2025-68733, CVE-2025-68740, CVE-2025-68741, CVE-2025-68742, CVE-2025-68744, CVE-2025-68746, CVE-2025-68753, CVE-2025-68755, CVE-2025-68756, CVE-2025-68757, CVE-2025-68758, CVE-2025-68759, CVE-2025-68763, CVE-2025-68764, CVE-2025-68765, CVE-2025-68766, CVE-2025-68767, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68782, CVE-2025-68783, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68804, CVE-2025-68806, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71071, CVE-2025-71072, CVE-2025-71075, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71088, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71116, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71125, CVE-2025-71126, CVE-2025-71127, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71141, CVE-2025-71143, CVE-2025-71144, CVE-2025-71147, CVE-2025-71148, CVE-2025-71149, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2026-23209 Package Information: https://launchpad.net/ubuntu/+source/linux-aws-fips/6.8.0-1052.55+fips1 https://launchpad.net/ubuntu/+source/linux-fips/6.8.0-110.110+fips2 https://launchpad.net/ubuntu/+source/linux-gcp-fips/6.8.0-1054.57+fips1

[USN-8185-1] Linux kernel (NVIDIA) vulnerabilities

========================================================================== Ubuntu Security Notice USN-8185-1 April 17, 2026 linux-nvidia, linux-nvidia-6.8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-nvidia: Linux kernel for NVIDIA systems - linux-nvidia-6.8: Linux kernel for NVIDIA systems Details: Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo discovered that some AMD Zen processors did not properly verify the signature of CPU microcode. This flaw is known as EntrySign. A privileged attacker could possibly use this issue to cause load malicious CPU microcode causing loss of integrity and confidentiality. (CVE-2024-36347) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - MIPS architecture; - PowerPC architecture; - x86 architecture; - Block layer subsystem; - Cryptographic API; - ACPI drivers; - Network block device driver; - Bluetooth drivers; - Character device driver; - TPM device driver; - Clock framework and drivers; - Data acquisition framework and drivers; - Hardware crypto device drivers; - GPU drivers; - Hardware monitoring drivers; - InfiniBand drivers; - Input Device core drivers; - IOMMU subsystem; - IRQ chip drivers; - Macintosh device drivers; - Multiple devices driver; - Media drivers; - Network drivers; - Mellanox network drivers; - STMicroelectronics network drivers; - Ethernet team driver; - MediaTek network drivers; - NVME drivers; - PA-RISC drivers; - Chrome hardware platform drivers; - x86 platform drivers; - Voltage and Current Regulator drivers; - SCSI subsystem; - SPI subsystem; - Media Oriented Systems Transport (MOST) driver; - Realtek RTL8723BS SDIO drivers; - TCM subsystem; - USB Host Controller drivers; - USB Type-C Connector System Software Interface driver; - Backlight driver; - Watchdog drivers; - BFS file system; - BTRFS file system; - Ext4 file system; - F2FS file system; - FUSE (File system in Userspace); - HFS+ file system; - File systems infrastructure; - Journaling layer for block devices (JBD2); - Network file system (NFS) client; - File system notification infrastructure; - NTFS3 file system; - OCFS2 file system; - SMB network file system; - BPF subsystem; - Ethernet bridge; - io_uring subsystem; - Locking primitives; - Scheduler infrastructure; - Shadow Call Stack mechanism; - Tracing infrastructure; - Memory management; - CAIF protocol; - Ceph Core library; - Networking core; - Ethtool driver; - Handshake API; - HSR network protocol; - IPv4 networking; - IPv6 networking; - MAC80211 subsystem; - Multipath TCP; - Netfilter; - NET/ROM layer; - NFC subsystem; - Open vSwitch; - Rose network layer; - Network traffic control; - Network sockets; - Sun RPC protocol; - Integrity Measurement Architecture(IMA) framework; - Key management; - Simplified Mandatory Access Control Kernel framework; - FireWire sound drivers; - HD-audio driver; - Turtle Beach Wavefront ALSA driver; - STMicroelectronics SoC drivers; - USB sound devices; - KVM subsystem; (CVE-2024-57795, CVE-2025-22022, CVE-2025-22111, CVE-2025-38022, CVE-2025-38234, CVE-2025-40164, CVE-2025-40325, CVE-2025-68206, CVE-2025-68254, CVE-2025-68255, CVE-2025-68256, CVE-2025-68257, CVE-2025-68258, CVE-2025-68259, CVE-2025-68261, CVE-2025-68263, CVE-2025-68264, CVE-2025-68265, CVE-2025-68266, CVE-2025-68291, CVE-2025-68325, CVE-2025-68332, CVE-2025-68335, CVE-2025-68336, CVE-2025-68337, CVE-2025-68344, CVE-2025-68345, CVE-2025-68346, CVE-2025-68347, CVE-2025-68349, CVE-2025-68354, CVE-2025-68362, CVE-2025-68363, CVE-2025-68364, CVE-2025-68366, CVE-2025-68367, CVE-2025-68369, CVE-2025-68371, CVE-2025-68372, CVE-2025-68374, CVE-2025-68378, CVE-2025-68379, CVE-2025-68380, CVE-2025-68724, CVE-2025-68727, CVE-2025-68728, CVE-2025-68732, CVE-2025-68733, CVE-2025-68740, CVE-2025-68741, CVE-2025-68742, CVE-2025-68744, CVE-2025-68753, CVE-2025-68755, CVE-2025-68756, CVE-2025-68757, CVE-2025-68758, CVE-2025-68759, CVE-2025-68763, CVE-2025-68764, CVE-2025-68765, CVE-2025-68766, CVE-2025-68767, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68782, CVE-2025-68783, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68804, CVE-2025-68806, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71071, CVE-2025-71072, CVE-2025-71075, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71088, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71116, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71125, CVE-2025-71126, CVE-2025-71127, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71141, CVE-2025-71143, CVE-2025-71144, CVE-2025-71147, CVE-2025-71148, CVE-2025-71149, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2026-23209) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS linux-image-6.8.0-1051-nvidia 6.8.0-1051.54 linux-image-6.8.0-1051-nvidia-64k 6.8.0-1051.54 linux-image-nvidia 6.8.0-1051.54 linux-image-nvidia-6.8 6.8.0-1051.54 linux-image-nvidia-64k 6.8.0-1051.54 linux-image-nvidia-64k-6.8 6.8.0-1051.54 Ubuntu 22.04 LTS linux-image-6.8.0-1051-nvidia 6.8.0-1051.54~22.04.1 linux-image-6.8.0-1051-nvidia-64k 6.8.0-1051.54~22.04.1 linux-image-nvidia-6.8 6.8.0-1051.54~22.04.1 linux-image-nvidia-64k-6.8 6.8.0-1051.54~22.04.1 linux-image-nvidia-64k-hwe-22.04 6.8.0-1051.54~22.04.1 linux-image-nvidia-hwe-22.04 6.8.0-1051.54~22.04.1 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8185-1 CVE-2024-36347, CVE-2024-57795, CVE-2025-22022, CVE-2025-22111, CVE-2025-38022, CVE-2025-38234, CVE-2025-40164, CVE-2025-40325, CVE-2025-68206, CVE-2025-68254, CVE-2025-68255, CVE-2025-68256, CVE-2025-68257, CVE-2025-68258, CVE-2025-68259, CVE-2025-68261, CVE-2025-68263, CVE-2025-68264, CVE-2025-68265, CVE-2025-68266, CVE-2025-68291, CVE-2025-68325, CVE-2025-68332, CVE-2025-68335, CVE-2025-68336, CVE-2025-68337, CVE-2025-68344, CVE-2025-68345, CVE-2025-68346, CVE-2025-68347, CVE-2025-68349, CVE-2025-68354, CVE-2025-68362, CVE-2025-68363, CVE-2025-68364, CVE-2025-68366, CVE-2025-68367, CVE-2025-68369, CVE-2025-68371, CVE-2025-68372, CVE-2025-68374, CVE-2025-68378, CVE-2025-68379, CVE-2025-68380, CVE-2025-68724, CVE-2025-68727, CVE-2025-68728, CVE-2025-68732, CVE-2025-68733, CVE-2025-68740, CVE-2025-68741, CVE-2025-68742, CVE-2025-68744, CVE-2025-68753, CVE-2025-68755, CVE-2025-68756, CVE-2025-68757, CVE-2025-68758, CVE-2025-68759, CVE-2025-68763, CVE-2025-68764, CVE-2025-68765, CVE-2025-68766, CVE-2025-68767, CVE-2025-68769, CVE-2025-68770, CVE-2025-68771, CVE-2025-68772, CVE-2025-68773, CVE-2025-68774, CVE-2025-68775, CVE-2025-68776, CVE-2025-68777, CVE-2025-68778, CVE-2025-68780, CVE-2025-68782, CVE-2025-68783, CVE-2025-68785, CVE-2025-68786, CVE-2025-68787, CVE-2025-68788, CVE-2025-68794, CVE-2025-68795, CVE-2025-68796, CVE-2025-68797, CVE-2025-68798, CVE-2025-68799, CVE-2025-68800, CVE-2025-68801, CVE-2025-68804, CVE-2025-68806, CVE-2025-68808, CVE-2025-68809, CVE-2025-68810, CVE-2025-68811, CVE-2025-68813, CVE-2025-68814, CVE-2025-68815, CVE-2025-68816, CVE-2025-68817, CVE-2025-68818, CVE-2025-68819, CVE-2025-68820, CVE-2025-68821, CVE-2025-71064, CVE-2025-71065, CVE-2025-71066, CVE-2025-71067, CVE-2025-71068, CVE-2025-71069, CVE-2025-71071, CVE-2025-71072, CVE-2025-71075, CVE-2025-71077, CVE-2025-71078, CVE-2025-71079, CVE-2025-71081, CVE-2025-71082, CVE-2025-71083, CVE-2025-71084, CVE-2025-71085, CVE-2025-71086, CVE-2025-71087, CVE-2025-71088, CVE-2025-71089, CVE-2025-71091, CVE-2025-71093, CVE-2025-71094, CVE-2025-71095, CVE-2025-71096, CVE-2025-71097, CVE-2025-71098, CVE-2025-71101, CVE-2025-71102, CVE-2025-71104, CVE-2025-71105, CVE-2025-71107, CVE-2025-71108, CVE-2025-71109, CVE-2025-71111, CVE-2025-71112, CVE-2025-71113, CVE-2025-71114, CVE-2025-71116, CVE-2025-71118, CVE-2025-71119, CVE-2025-71120, CVE-2025-71121, CVE-2025-71122, CVE-2025-71123, CVE-2025-71125, CVE-2025-71126, CVE-2025-71127, CVE-2025-71130, CVE-2025-71131, CVE-2025-71132, CVE-2025-71133, CVE-2025-71135, CVE-2025-71136, CVE-2025-71137, CVE-2025-71138, CVE-2025-71140, CVE-2025-71141, CVE-2025-71143, CVE-2025-71144, CVE-2025-71147, CVE-2025-71148, CVE-2025-71149, CVE-2025-71150, CVE-2025-71151, CVE-2025-71153, CVE-2025-71154, CVE-2026-23209 Package Information: https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1051.54 https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1051.54~22.04.1

LibreSSL 4.3.1 released

We have released LibreSSL 4.3.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is a development release for the 4.3.x branch, so we appreciate early testing and feedback. There will be no further API and ABI changes on the 4.3 branch. It includes a build fix from 4.3.0 and the following changes: * Internal improvements - Remove the unused sequence number from X509_REVOKED. - Replace a call to atoi() with strtonum() in nc(1) and replace a misleading use of ntohs() with htons(). - openssl(1) speed now uses HMAC-SHA256 for its hmac benchmark. - Reimplemented only use of ASN1_PRINTABLE_type() in openssl(1) ca. The API will be removed in an upcoming release. - Add curve NID to EC_POINT objects so the library has a clue on which curve a given EC_POINT is supposed to live. - Use curve NID to check for compatibility between group and points in various EC API. This isn't 100% failsafe but good enough for sane uses. - Require SSE in order to use gcm_{gmult,ghash}_4bit_mmx(). On rare i386 machines suporting MMX but not SSE this could result in an illegal instruction. - Cleaned up asn1t.h to make it somewhat readable and more robust by using C99 initializers in particular. - Further assembly macro improvements for -portable. - Add fast path for well-known DH primes in DH_check() (including those from RFC 7919). Some projects still fiddle with this in 2025. - Rewrite ec_point_cmp() for readability and robustness. - Improve EVP_{Open,Seal}Init() internals. This is legacy API that cannot be removed since one scripting language still exposes it. - ASN1_BIT_STRING_set_bit() now trims trailing zero bits itself rather than relying on i2c_ASN1_BIT_STRING() to do that when encoding. - Fix and add workarounds to libtls to improve const correctness and to avoid warnings when compiling with OpenSSL 4. - Prefix EC_KEY methods with ec_key_ to avoid problems in some static links. - Remove mac_packet, a leftover from accepting SSLv2 ClientHellos. - Remove ssl_server_legacy_first_packet(). - In addition to what was done in LibreSSL 4.0 for the version handling, disable TLSv1.1 and lower also on the method level. - Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. - Refactor ocsp_find_signer_sk() to avoid neglecting the ASN.1's semantics by direct reaching into deeply nested OCSP structures. * Compatibility changes - Expose X509_VERIFY_PARAM_set_hostflags() as a public symbol. - Provide SSL_SESSION_dup(). - BIGNUMs now use the C99 types uint64_t/uint32_t for the word width. Fixes long-standing issues with 32-bit longs on 64-bit Windows. - Many unused BN_* macros with incomprehensible names were removed: BN_LONG, BN_BITS{,4}, BN_MASK2{,l,h,h1}, BN_TBIT, BN_DEC_CONV, BN_{DEC,HEX}_FMT{1,2}, ... - openssl(1) cms no longer accepts the unsupported -compress and -uncompress switches. - Added PKCS7_NO_DUAL_CONTENT flag/behavior. This is incorrect legacy behavior but some language bindings decided to rely on it in 2025. - Remove STABLE_FLAGS_MALLOC but keep STABLE_NO_MASK because there is still one user... - Fix ASN1_ADB_END macro to have compatible signature with OpenSSL. The adb_cb() argument is currently ignored. - Unexport ASN1_LONG_UNDEF. * New features - Support for MLKEM768_X25519 keyshare in TLS. https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ - Added ML-KEM benchmarks to openssl(1) speed. - Added support for starttls protocol sieve. - Add support for RSASSA-PSS with pubkey OID RSASSA-PSS to libssl. * Bug fixes - Ensure the group selected by a TLSv1.3 server for a HelloRetryRequest is not one for which the client has already sent a key share. - Plug memory leak in CMS_EncryptedData_encrypt(). - Plug possible memory leak and double free in nref_nos(). - Removed always zero test results for some no longer available legacy primitives in openssl(1) speed. - List SHA-3 digests in openssl(1) help output. - Fix encoding of bit strings with trailing zeroes on which ASN1_STRING_FLAG_BITS_LEFT is not set. - Add missing NULL pointer check to PKCS12_item_decrypt_d2i(). - Avoid type confusion leading to 1-byte read at address 0x00-0xff in PKCS#12 parsing. - Fix type confusion in timestamp response parsing for v2 signing certs. - Fix EVP_SealInit() to return 0 on error, not -1. - Replace incorrect strncmp() with strcmp() in CRL distribution point config parsing. - openssl x509 -text writes its output to the file specified by -out like all other openssl(1) subcommands. - Stop Delta CRL processing in the verifier if the cRLNumber is missing. This is flagged on deserialization, but nothing checks that flag. This can lead to a NULL dereference if the verification has enabled Delta CRL checking by setting X509_V_FLAG_USE_DELTAS. - Fix NULL dereference that can be triggered with malformed OAEP parameter encoding for CMS decryption. - Add missing length checks before BIO_new_mem_buf() in libtls. - Improve libtls error reporting consistency, avoid reporting unrelated errnos. - Fix SAN dNSName constraints: instead of substring matching, match exactly and allow zero or more components in front of the candidate. * Reliability fix - Fix off-by-one error in the X.509 verifier depth checking. This can lead to a 4-byte overwrite on heap allocated memory for clients talking to a malicious server or for servers that have client certificate verification enabled. In addition, the maximum depth must be set to the maximum allowed value of 32. Thanks to Calif.io in collaboration with Claude and Anthropic Research, for reporting the issue. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

Saturday, April 18, 2026

LibreSSL 4.3.0 Released

We have released LibreSSL 4.3.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is a development release for the 4.3.x branch, so we appreciate early testing and feedback. There will be no further API and ABI changes on the 4.3 branch. It includes the following changes: * Internal improvements - Remove the unused sequence number from X509_REVOKED. - Replace a call to atoi() with strtonum() in nc(1) and replace a misleading use of ntohs() with htons(). - openssl(1) speed now uses HMAC-SHA256 for its hmac benchmark. - Reimplemented only use of ASN1_PRINTABLE_type() in openssl(1) ca. The API will be removed in an upcoming release. - Add curve NID to EC_POINT objects so the library has a clue on which curve a given EC_POINT is supposed to live. - Use curve NID to check for compatibility between group and points in various EC API. This isn't 100% failsafe but good enough for sane uses. - Require SSE in order to use gcm_{gmult,ghash}_4bit_mmx(). On rare i386 machines suporting MMX but not SSE this could result in an illegal instruction. - Cleaned up asn1t.h to make it somewhat readable and more robust by using C99 initializers in particular. - Further assembly macro improvements for -portable. - Add fast path for well-known DH primes in DH_check() (including those from RFC 7919). Some projects still fiddle with this in 2025. - Rewrite ec_point_cmp() for readability and robustness. - Improve EVP_{Open,Seal}Init() internals. This is legacy API that cannot be removed since one scripting language still exposes it. - ASN1_BIT_STRING_set_bit() now trims trailing zero bits itself rather than relying on i2c_ASN1_BIT_STRING() to do that when encoding. - Fix and add workarounds to libtls to improve const correctness and to avoid warnings when compiling with OpenSSL 4. - Prefix EC_KEY methods with ec_key_ to avoid problems in some static links. - Remove mac_packet, a leftover from accepting SSLv2 ClientHellos. - Remove ssl_server_legacy_first_packet(). - In addition to what was done in LibreSSL 4.0 for the version handling, disable TLSv1.1 and lower also on the method level. - Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. - Refactor ocsp_find_signer_sk() to avoid neglecting the ASN.1's semantics by direct reaching into deeply nested OCSP structures. * Compatibility changes - Expose X509_VERIFY_PARAM_set_hostflags() as a public symbol. - Provide SSL_SESSION_dup(). - BIGNUMs now use the C99 types uint64_t/uint32_t for the word width. Fixes long-standing issues with 32-bit longs on 64-bit Windows. - Many unused BN_* macros with incomprehensible names were removed: BN_LONG, BN_BITS{,4}, BN_MASK2{,l,h,h1}, BN_TBIT, BN_DEC_CONV, BN_{DEC,HEX}_FMT{1,2}, ... - openssl(1) cms no longer accepts the unsupported -compress and -uncompress switches. - Added PKCS7_NO_DUAL_CONTENT flag/behavior. This is incorrect legacy behavior but some language bindings decided to rely on it in 2025. - Remove STABLE_FLAGS_MALLOC but keep STABLE_NO_MASK because there is still one user... - Fix ASN1_ADB_END macro to have compatible signature with OpenSSL. The adb_cb() argument is currently ignored. - Unexport ASN1_LONG_UNDEF. * New features - Support for MLKEM768_X25519 keyshare in TLS. https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ - Added ML-KEM benchmarks to openssl(1) speed. - Added support for starttls protocol sieve. - Add support for RSASSA-PSS with pubkey OID RSASSA-PSS to libssl. * Bug fixes - Ensure the group selected by a TLSv1.3 server for a HelloRetryRequest is not one for which the client has already sent a key share. - Plug memory leak in CMS_EncryptedData_encrypt(). - Plug possible memory leak and double free in nref_nos(). - Removed always zero test results for some no longer available legacy primitives in openssl(1) speed. - List SHA-3 digests in openssl(1) help output. - Fix encoding of bit strings with trailing zeroes on which ASN1_STRING_FLAG_BITS_LEFT is not set. - Add missing NULL pointer check to PKCS12_item_decrypt_d2i(). - Avoid type confusion leading to 1-byte read at address 0x00-0xff in PKCS#12 parsing. - Fix type confusion in timestamp response parsing for v2 signing certs. - Fix EVP_SealInit() to return 0 on error, not -1. - Replace incorrect strncmp() with strcmp() in CRL distribution point config parsing. - openssl x509 -text writes its output to the file specified by -out like all other openssl(1) subcommands. - Stop Delta CRL processing in the verifier if the cRLNumber is missing. This is flagged on deserialization, but nothing checks that flag. This can lead to a NULL dereference if the verification has enabled Delta CRL checking by setting X509_V_FLAG_USE_DELTAS. - Fix NULL dereference that can be triggered with malformed OAEP parameter encoding for CMS decryption. - Add missing length checks before BIO_new_mem_buf() in libtls. - Improve libtls error reporting consistency, avoid reporting unrelated errnos. - Fix SAN dNSName constraints: instead of substring matching, match exactly and allow zero or more components in front of the candidate. * Reliability fix - Fix off-by-one error in the X.509 verifier depth checking. This can lead to a 4-byte overwrite on heap allocated memory for clients talking to a malicious server or for servers that have client certificate verification enabled. In addition, the maximum depth must be set to the maximum allowed value of 32. Thanks to Calif.io in collaboration with Claude and Anthropic Research, for reporting the issue. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.