Zorin OS Update Overview

Changelogs:

For those who are interested in tracking updates but don't check their logs I thought it may be a good idea for me to combine changelogs when new updates come out and put them as forum posts (I don't work on Zorin OS just a excited user who reads changelogs)

In addition to this there was some security updates in addition to this that came out at the time of writing this however that is not as exciting.

Technical description
Package: linux-firmware
This package provides firmware used by Linux kernel drivers.

Changes for linux-firmware versions:
Installed version: 20240318.git3b128b60-0ubuntu2.21
Available version: 20240318.git3b128b60-0ubuntu2.22

Version 20240318.git3b128b60-0ubuntu2.22:

  • Miscellaneous Ubuntu changes
    • [Workflow] Update the gitea workflow
    • [Workflow] Move checkout to top of workflow
  • [SRU] Upgrade Intel xe GUC to v70.49.4 for Intel Panther Lake (LP: #2127969)
    • xe: Update GUC to v70.49.4 for BMG, LNL, PTL
  • Support for Realtek audio solution ALC3329B+ALC1708B on new Dell PTL platform (LP: #2129952)
    • realtek: rt1321: Add patch firmware of MCU
  • [SRU][R/Q/N] mt7925: Support 802.11d and CQM events for roaming (LP: #2130381)
    • linux-firmware: update firmware for MT7925 WiFi device
  • RTL8922A BT USB: Bluetooth: hci0: RTL: download fw command failed (-13) (LP: #2131732)
    • rtl_bt: Update RTL8922A BT USB firmware to 0x41C0_C905
  • Support for Cirrus Logic audio solution CS42L43 with amplifiers on new Dell PTL platform (LP: #2131725)
    • cirrus: cs42l45: Add firmware for Cirrus Logic CS42L45 SDCA codec
    • cirrus: cs35l57: Add firmware for a few Dell products
  • Add TI tas2781 support for HP platforms (LP: #2133664)
    • tas2781: Upload dsp firmware for ASUS laptop 1EB30 & 1EB31
    • Add a link from TAS2XXX1EB3.bin -> ti/tas2781/TAS2XXX1EB30.bin
    • ASoC: tas2781: fix the license issue for tas781 firmware
    • linux-firmware: Create audio folder in ti folder, and move all the audio firmwares into it
    • ASoC: tas2781: Update dsp firmware for HP and ASUS projects
  • Update aic100 fw for power issues (LP: #2131936)
    • qcom: Update aic100 firmware files
    • qcom: Update aic100 firmware files
  • Support Qualcomm RB4 graphics firmware (LP: #2133787)
    • qcom: Update gpu firmwares for qcs8300 chipset
    • qcom: Update A623 GMU fw
  • Linux-firmware: Add qualcomm serial engine firmware qupv3fw.elf (LP: #2133923)
    • qcom: add QUPv3 firmware for QCS9100 platform
    • qcom: add QUPv3 firmware for QCM6490 platform
    • Adjust QUPv3 driver name
    • qcom: add QUPv3 firmware for QCS8300 platform
    • qcom: Add QCS6490 symlink for QUPv3 firmware
2 Likes

Howdy folks once again another post when i see something that appears to be a noteworthy update in my software updater, i'll post the change log here, there is one other post i'll be making pretty shortly.

Technical description
Package: snapd
Install, configure, refresh and remove snap packages. Snaps are 'universal' packages that work across many different Linux systems, enabling secure distribution of the latest apps and utilities for cloud, servers, desktops and the internet of things.
Start with 'snap list' to see installed snaps.

Changes for snapd versions:
Installed version: 2.72+ubuntu24.04
Available version: 2.73+ubuntu24.04

Version 2.73+ubuntu24.04:

  • New upstream release, LP: #2132084
    • FDE: do not save incomplete FDE state when resealing was skipped
    • FDE: warn of inconsistent primary or policy counter
    • Confdb: document confdb in snapctl help messages
    • Confdb: only confdb hooks wait if snaps are disabled
    • Confdb: relax confdb change conflict checks
    • Confdb: remove empty parent when removing last leaf
    • Confdb: support parsing field filters
    • Confdb: wrap confdb write values under "values" key
    • dm-verity for essential snaps: add new naming convention for
      verity files
    • dm-verity for essential snaps: add snap integrity discovery
    • dm-verity for essential snaps: fix verity salt calculation
    • Assertions: add hardware identity assertion
    • Assertions: add integrity stanza in snap resources revisions
    • Assertions: add request message assertion required for remote
      device management
    • Assertions: add response-message assertion for secure remote
      device management
    • Assertions: expose WithStackedBackstore in RODatabase
    • Packaging: cross-distro | install upstream NEWS file into relevant
      snapd package doc directory
    • Packaging: cross-distro | tweak how the blocks injecting
      $SNAP_MOUNT_DIR/bin are generated as required for openSUSE
    • Packaging: remove deprecated snap-gdb-shim and all references now
      that snap run --gdb is unsupported and replaced by --gdbserver
    • Preseed: call systemd-tmpfiles instead handle-writable-paths on
      uc26
    • Preseed: do not remove the /snap dir but rather all its contents
      during reset
    • snap-confine: attach name derived from security tag to BPF maps
      and programs
    • snap-confine: ensure permitted capabilities match expectation
    • snap-confine: fix cached snap-confine profile cleanup to report
      the correct error instead of masking backend setup failures
    • snap-confine: Improve validation of user controlled paths
    • snap-confine: tighten snap cgroup checks to ensure a snap cannot
      start another snap in the same cgroup, preventing incorrect
      device-filter installation
    • core-initrd: add 26.04 ubuntu-core-initramfs package
    • core-initrd: add missing order dependency for setting default
      system files
    • core-initrd: avoid scanning loop and mmc boot partitions as the
      boot disk won't be any of these
    • core-initrd: make cpio a Depends and remove from Build-Depends
    • core-initrd: start plymouth sooner and reload when gadget is
      available
    • Cross-distro: modify syscheck to account for differences in
      openSUSE 16.0+
    • Validation sets: use in-flight validation sets when calling
      'snapctl install' from hook
    • Prompting: enable prompting for the camera interface
    • Prompting: remove polkit authentication when modifying/deleting
      prompting rules
    • LP: #2127189 Prompting: do not record notices for unchanged rules
      on snapd startup
    • AppArmor: add free and pidof to the template
    • AppArmor: adjust interfaces/profiles to cope with coreutils paths
    • Interfaces: add support for compatibility expressions
    • Interfaces: checkbox-support | complete overhaul
    • Interfaces: define vulkan-driver-libs, cuda-driver-libs, egl-
      driver-libs, gbm-driver-libs, opengl-driver-libs, and opengles-
      driver-libs
    • Interfaces: allow snaps on classic access to nvidia graphics
      libraries exported by *-driver-libs interfaces
    • Interfaces: fwupd | broaden access to /boot/efi/EFI
    • Interfaces: gsettings | set dconf-service as profile for
      ca.desrt.dconf.Writer
    • Interfaces: iscsi-initiator, dm-multipath, nvme-control | add new
      interfaces
    • Interfaces: opengl | grant read/write permission to /run/nvidia-
      persistenced/socket
    • interfaces: ros-snapd-support | add access to /v2/changes/
    • Interfaces: system-observe | read access to btrfs/ext4/zfs
      filesystem information
    • Interfaces: system-trace | allow /sys/kernel/tracing/** rw
    • Interfaces: usb-gadget | add support for ffs mounts in attributes
    • Add autocompletion to run command
    • Introduce option for disallowing auto-connection of a specific
      interface
    • Only log errors for user service operations performed as a part of
      snap removal
    • Patch snap names in service requests for parallel installed snaps
    • Simplify traits for eMMC special partitions
    • Strip apparmor_parser from debug symbols shrinking snapd size by
      ~3MB
    • Fix InstallPathMany skipping refresh control
    • Fix waiting for GDB helper to stop before attaching gdbserver
    • Protect the per-snap tmp directory against being reaped by age
    • Prevent disabling base snaps to ensure dependent snaps can be
      removed
    • Modify API endpoint /v2/logs to reject n <= 0 (except for special
      case -1 meaning all)
    • Avoid potential deadlock when task is injected after the change
      was aborted
    • Avoid race between store download stream and cache cleanup
      executing in parallel when invoked by snap download task
    • LP: #1851490 Use "current" instead of revision number for icons
    • LP: #2121853 Add snapctl version command
    • LP: #2127214 Ensure no more than one partition on disk can match a
      gadget partition
    • LP: #2127244 snap-confine: update AppArmor profile to allow
      read/write to journal as workaround for snap-confine fd
      inheritance prevented by newer AppArmor
    • LP: #2127766 Add new tracing mechanism with independently running
      strace and shim synchronization

It still would not stop me from removing snapd and flatpak, post-install.

2 Likes

Another interesting update in the logs given the recent forum posts related to MediaTek audio issues, fingers crossed this helps some of those folks out.

Technical description
Package: alsa-ucm-conf
This package contains ALSA Use Case Manager configuration of audio input/output names and routing for specific audio hardware. They can be used with the alsaucm tool.
ALSA is the Advanced Linux Sound Architecture.

Changes for alsa-ucm-conf versions:
Installed version: 1.2.10-1ubuntu5.7
Available version: 1.2.10-1ubuntu5.8

Version 1.2.10-1ubuntu5.8:

  • Fix missing audio support for MediaTek Genio EVK platforms (LP: #2126737)
    by creating the following patches based on upstream commits:
    • d/p/0001-ucm2-MediaTek-mt8370-evk-Add-dynamic-configuration-f.patch
    • d/p/0002-ucm2-MediaTek-mt8390-evk-Add-dynamic-configuration-f.patch
    • d/p/0003-ucm2-MediaTek-mt8395-evk-Add-dynamic-configuration-f.patch
    • d/p/0004-ucm2-MediaTek-mt8370-evk-Add-headset-jack-detection.patch
    • d/p/0005-ucm2-MediaTek-mt8390-evk-Add-headset-jack-detection.patch
    • d/p/0006-ucm2-MediaTek-mt8395-evk-Add-headset-jack-detection.patch
    • d/p/0007-ucm2-MediaTek-mt8390-evk-Add-support-for-SOF.patch
    • d/p/0008-ucm2-MediaTek-mt8365-evk-Add-SOF-support.patch
    • d/p/0009-ucm2-MediaTek-mt8395-evk-Add-support-for-SOF.patch

I think it would be better if you post all update news about packages collected in one thread and don't create a separate thread for each package.

2 Likes

Can do,

It will be a very long thread :slight_smile:

Hm, yes, that's right, there's already quite a lot and there are so many updates every day. Perhaps you'd prefer to show how to access the change logs - then anyone who wants to view them can do so themselves?

...but it would be chronological.

I am thinking users may stumble on these posts if they searched for something e.g. MediaTek... so would find that update and when.

I have putted Your Update Threads in this one to keep them together. So, it is bundled. Post future Stuff in here please. And I renamed it to make clear that it offers an Overview over the Updates.

2 Likes

Thank you for doing this!
The next post will be on the next updates when they arrive :slight_smile:

1 Like

Howdy Folks a set of security updates surrounding the HEIF file format Decoder.
All packadges share the same changelogs bar the description:

  • SECURITY UPDATE: Denial of Service
    • debian/patches/CVE-2024-25269.patch: Fix memory leaks in function
      JpegEncoder::Encode
    • CVE-2024-25269

According to the above CVE's patch notes this is a description of what was fixed:

libheif <= 1.17.6 contains a memory leak in the function JpegEncoder::Encode. This flaw allows an attacker to cause a denial of service attack.

  • SECURITY UPDATE: Buffer Overflow
    • debian/patches/CVE-2025-68431.patch: Fix wrong copy width in
      overlay images, thanks to Aldo Ristori
    • CVE-2025-68431

According to the above CVE's patch notes this is a description of what was fixed:

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay(). The function computes a negative row length (likely from an unclipped overlay rectangle or invalid offsets), which then underflows when converted to size_t and is passed to memcpy, causing a very large read past the end of the source plane and a crash. Version 1.21.0 contains a patch. As a workaround, avoid decoding images using iovl overlay boxes.

Security updates are always crucial and its great to see especially given the buffer overflow was published:

Published: 2025-12-29

Updated: 2025-12-29

Whereas the Denial of Service was published

Published: 2024-03-05

Updated: 2024-03-05

A few more security updates this morning (NZDT)

Changes for python3-urllib3 versions:
Installed version: 2.0.7-1ubuntu0.3
Available version: 2.0.7-1ubuntu0.4

Version 2.0.7-1ubuntu0.4:

  • SECURITY UPDATE: Decompression bomb in HTTP redirect responses.
    • debian/patches/CVE-2026-21441.patch: Add decode_content to self.read()
      in src/urllib3/response.py. Add tests in
      test/with_dummyserver/test_connectionpool.py and dummyserver/app.py.
    • CVE-2026-21441

Changes for libtasn1-6:i386 versions:
Installed version: 4.19.0-3ubuntu0.24.04.1
Available version: 4.19.0-3ubuntu0.24.04.2

Version 4.19.0-3ubuntu0.24.04.2:

  • SECURITY UPDATE: Stack-based buffer overflow
    • debian/patches/CVE-2025-13151.patch: fix asn1_expand_octet_string
      buffer size in lib/decoding.c.
    • CVE-2025-13151

Changes for libpython3.12-stdlib versions:
Installed version: 3.12.3-1ubuntu0.9
Available version: 3.12.3-1ubuntu0.10

Version 3.12.3-1ubuntu0.10:

  • SECURITY UPDATE: HTTP Content-Length denial of service
    • debian/patches/CVE-2025-13836.patch: Read large data in chunks with
      geometric reads in Lib/http/client.py and add tests in
      Lib/test/test_httplib.py
    • CVE-2025-13836

Changes for python3.12 versions:
Installed version: 3.12.3-1ubuntu0.9
Available version: 3.12.3-1ubuntu0.10

Version 3.12.3-1ubuntu0.10:

  • SECURITY UPDATE: HTTP Content-Length denial of service
    • debian/patches/CVE-2025-13836.patch: Read large data in chunks with
      geometric reads in Lib/http/client.py and add tests in
      Lib/test/test_httplib.py
    • CVE-2025-13836

Changes for libtasn1-6 versions:
Installed version: 4.19.0-3ubuntu0.24.04.1
Available version: 4.19.0-3ubuntu0.24.04.2

Version 4.19.0-3ubuntu0.24.04.2:

  • SECURITY UPDATE: Stack-based buffer overflow
    • debian/patches/CVE-2025-13151.patch: fix asn1_expand_octet_string
      buffer size in lib/decoding.c.
    • CVE-2025-13151

Technical description
Package: libpython3.12-minimal
This package contains some essential modules. It is normally not used on it's own, but as a dependency of python3.12-minimal.

Changes for libpython3.12-minimal versions:
Installed version: 3.12.3-1ubuntu0.9
Available version: 3.12.3-1ubuntu0.10

Version 3.12.3-1ubuntu0.10:

  • SECURITY UPDATE: HTTP Content-Length denial of service
    • debian/patches/CVE-2025-13836.patch: Read large data in chunks with
      geometric reads in Lib/http/client.py and add tests in
      Lib/test/test_httplib.py
    • CVE-2025-13836

Technical description
Package: libpython3.12t64
Python is a high-level, interactive, object-oriented language. Its 3.12 version includes an extensive class library with lots of goodies for network programming, system administration, sounds and graphics.
This package contains the shared runtime library, normally not needed for programs using the statically linked interpreter.

Changes for libpython3.12t64 versions:
Installed version: 3.12.3-1ubuntu0.9
Available version: 3.12.3-1ubuntu0.10

Version 3.12.3-1ubuntu0.10:

  • SECURITY UPDATE: HTTP Content-Length denial of service
    • debian/patches/CVE-2025-13836.patch: Read large data in chunks with
      geometric reads in Lib/http/client.py and add tests in
      Lib/test/test_httplib.py
    • CVE-2025-13836

One of the most serious CVE's patched is the following:

CVE-2026-21441
https://www.cve.org/CVERecord?id=CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP Content-Encoding header (e.g., gzip, deflate, br, or zstd). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting preload_content=False when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when preload_content=False. If upgrading is not immediately possible, disable redirects by setting redirect=False for requests to untrusted source.

Another surprise security update:
Technical description
Package: python3-urllib3
urllib3 supports features left out of urllib and urllib2 libraries.

  • Re-use the same socket connection for multiple requests (HTTPConnectionPool
    and HTTPSConnectionPool) (with optional client-side certificate
    verification).
  • File posting (encode_multipart_formdata).
  • Built-in redirection and retries (optional).
  • Supports gzip and deflate decoding.
  • Thread-safe and sanity-safe.
  • Small and easy to understand codebase perfect for extending and
    building upon. This package contains the Python 3 version of the library.

Changes for python3-urllib3 versions:
Installed version: 2.0.7-1ubuntu0.4
Available version: 2.0.7-1ubuntu0.5

Version 2.0.7-1ubuntu0.5:

  • SECURITY REGRESSION: Zstd issues after CVE-2025-66471 fix. (LP: #2136906)
    • debian/patches/CVE-2025-66471-fix1.patch: Revert zstd fix due to not
      being compatible with zstandard.

More security updates as well as a regression being fixed.

The regression:
Changes for python3-urllib3 versions:
Installed version: 2.0.7-1ubuntu0.5
Available version: 2.0.7-1ubuntu0.6

Version 2.0.7-1ubuntu0.6:

  • SECURITY REGRESSION: Zstandard missing attribute after CVE-2025-66471 fix.
    (LP: #2136906)
    • debian/patches/CVE-2025-66471-fix2.patch: Fall back if "needs_input" is
      not a zstd object attribute in src/urllib3/response.py.

Technical description
Package: libjavascriptcoregtk-6.0-1
JavaScriptCore is the JavaScript engine used in WebKit. It consists of the following building blocks: lexer, parser, start-up interpreter (LLInt), baseline JIT, a low-latency optimizing JIT (DFG), and a high-throughput optimizing JIT (FTL).
This build comes from the GTK port of WebKit (API version 6.0).
This package contains the shared libraries.

Changes for libjavascriptcoregtk-6.0-1 versions:
Installed version: 2.50.3-0ubuntu0.24.04.1
Available version: 2.50.4-0ubuntu0.24.04.1

Version 2.50.4-0ubuntu0.24.04.1:

  • Update to 2.50.4 to fix security issues.
    • CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531,
      CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

Technical description
Package: gir1.2-javascriptcoregtk-6.0
JavaScriptCore is the JavaScript engine used in WebKit. It consists of the following building blocks: lexer, parser, start-up interpreter (LLInt), baseline JIT, a low-latency optimizing JIT (DFG), and a high-throughput optimizing JIT (FTL).
This build comes from the GTK port of WebKit (API version 6.0).
This package contains the introspection data, which can be used by packages using the GIRepository format to generate dynamic bindings.

Changes for gir1.2-javascriptcoregtk-6.0 versions:
Installed version: 2.50.3-0ubuntu0.24.04.1
Available version: 2.50.4-0ubuntu0.24.04.1

Version 2.50.4-0ubuntu0.24.04.1:

  • Update to 2.50.4 to fix security issues.
    • CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531,
      CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

Technical description
Package: libwebkitgtk-6.0-4
WebKit is a web content engine, derived from KHTML and KJS from KDE, and used primarily in Apple's Safari browser.
It is made to be embedded in other applications, such as mail readers, or web browsers.
It is able to display content such as HTML, SVG, XML, and others. It also supports DOM, XMLHttpRequest, XSLT, CSS, JavaScript/ECMAScript and more.
WebKitGTK is a WebKit port designed to be used in GTK applications. This build provides version 6.0 of the API and uses libsoup v3 for the networking stack and the GTK 4 widget toolkit.
This package contains the shared libraries.

Changes for libwebkitgtk-6.0-4 versions:
Installed version: 2.50.3-0ubuntu0.24.04.1
Available version: 2.50.4-0ubuntu0.24.04.1

Version 2.50.4-0ubuntu0.24.04.1:

  • Update to 2.50.4 to fix security issues.
    • CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531,
      CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

Technical description
Package: gir1.2-webkit2-4.1
WebKit is a web content engine, derived from KHTML and KJS from KDE, and used primarily in Apple's Safari browser.
It is made to be embedded in other applications, such as mail readers, or web browsers.
It is able to display content such as HTML, SVG, XML, and others. It also supports DOM, XMLHttpRequest, XSLT, CSS, JavaScript/ECMAScript and more.
WebKitGTK is a WebKit port designed to be used in GTK applications. This build provides version 4.1 of the API and uses libsoup v3 for the networking stack and the GTK 3 widget toolkit.
This package contains introspection data, which can be used by packages using the GIRepository format to generate dynamic bindings.

Changes for gir1.2-webkit2-4.1 versions:
Installed version: 2.50.3-0ubuntu0.24.04.1
Available version: 2.50.4-0ubuntu0.24.04.1

Version 2.50.4-0ubuntu0.24.04.1:

  • Update to 2.50.4 to fix security issues.
    • CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531,
      CVE-2025-43535, CVE-2025-43536, CVE-2025-43541

In order of left to right the CVE's are
"Out of Bounds memory access on chrome for 14174"
"A buffer overflow on the safari browser, although this may affect other browsers."
The remaining CVE's are all tied directly to memory management.

More security updates:

Technical description
Package: libpng16-16t64:i386
libpng is a library implementing an interface for reading and writing PNG (Portable Network Graphics) format files.
This package contains the runtime library files needed to run software using libpng.

Changes for libpng16-16t64:i386 versions:
Installed version: 1.6.43-5ubuntu0.1
Available version: 1.6.43-5ubuntu0.3

Version 1.6.43-5ubuntu0.3:

  • SECURITY UPDATE: OOB in png_image_read_composite
    • debian/patches/CVE-2025-66293-1.patch: validate component size in
      pngread.c.
    • debian/patches/CVE-2025-66293-2.patch: improve fix in pngread.c.
    • CVE-2025-66293
  • SECURITY UPDATE: Heap buffer over-read in png_image_read_direct_scaled
    • debian/patches/CVE-2026-22695.patch: fix memcpy size in pngread.c.
    • CVE-2026-22695
  • SECURITY UPDATE: Integer truncation causing heap buffer over-read
    • debian/patches/CVE-2026-22801.patch: remove incorrect truncation
      casts in CMakeLists.txt, contrib/libtests/pngstest.c, pngwrite.c,
      tests/pngstest-large-stride.
    • CVE-2026-22801

Technical description
Package: libklibc
klibc is intended to be a minimalistic libc subset for use with initramfs.
It is deliberately written for small size, minimal entanglement, and portability, not speed.
It is definitely a work in progress, and a lot of things are still missing.

Changes for libklibc versions:
Installed version: 2.0.13-4ubuntu0.1
Available version: 2.0.13-4ubuntu0.2

Version 2.0.13-4ubuntu0.2:

  • SECURITY UPDATE: Undefined Behavior
    • debian/patches/CVE-2016-9843.patch: Avoid pre-decrement of pointer
      in big-endian CRC calculation.
    • CVE-2016-9843

Technical description
Package: libpng16-16t64
libpng is a library implementing an interface for reading and writing PNG (Portable Network Graphics) format files.
This package contains the runtime library files needed to run software using libpng.

Changes for libpng16-16t64 versions:
Installed version: 1.6.43-5ubuntu0.1
Available version: 1.6.43-5ubuntu0.3

Version 1.6.43-5ubuntu0.3:

  • SECURITY UPDATE: OOB in png_image_read_composite
    • debian/patches/CVE-2025-66293-1.patch: validate component size in
      pngread.c.
    • debian/patches/CVE-2025-66293-2.patch: improve fix in pngread.c.
    • CVE-2025-66293
  • SECURITY UPDATE: Heap buffer over-read in png_image_read_direct_scaled
    • debian/patches/CVE-2026-22695.patch: fix memcpy size in pngread.c.
    • CVE-2026-22695
  • SECURITY UPDATE: Integer truncation causing heap buffer over-read
    • debian/patches/CVE-2026-22801.patch: remove incorrect truncation
      casts in CMakeLists.txt, contrib/libtests/pngstest.c, pngwrite.c,
      tests/pngstest-large-stride.
    • CVE-2026-22801

Technical description
Package: klibc-utils
This package contains a collection of programs that are linked against klibc. These duplicate some of the functionality of a regular Linux toolset, but are typically much smaller than their full-function counterparts.
They are intended for inclusion in initramfs images and embedded systems.

Changes for klibc-utils versions:
Installed version: 2.0.13-4ubuntu0.1
Available version: 2.0.13-4ubuntu0.2

Version 2.0.13-4ubuntu0.2:

  • SECURITY UPDATE: Undefined Behavior
    • debian/patches/CVE-2016-9843.patch: Avoid pre-decrement of pointer
      in big-endian CRC calculation.
    • CVE-2016-9843


Technical description
Package: gnome-remote-desktop
This daemon enables GNOME to offer remote desktop sharing and control using RDP with PipeWire. It supports GNOME on both X11 and Wayland. Remote sharing can be enabled and managed in the GNOME Settings app.

Changes for gnome-remote-desktop versions:
Installed version: 46.3-0ubuntu1.1
Available version: 46.3-0ubuntu1.2

Version 46.3-0ubuntu1.2:

  • Backport headless session persistence (LP: #2072130)

^ researching the Brave Update since brave does not support changelogs via the software updater, it appears to be a very minor update fixing two bugs.

No updates since last post (Friday Morning NZDT 16th Jan)
Likely the Zorin Bros don't work weekends (Good on them, I'll keep checking and post again once updates start rolling back out.)

It is Sunday Afternoon 3:23 PM 18th Jan NZDT.


I Stand Corrected, some support for Intel's Brand new panther lake, this updated focuses especially on the thermal monitoring.

Howdy folks, another security update this one focusing on Avahi which is a framework for Multicast DNS Service Discovery,

mainly targeting CVE's all published on 12/01/2026 this update has come out on 20/01/2026, my quick research says the Average time for a CVE to be identified then patched should be ~9 days, so 8 days is just under average.

The risk here is according to the CVE pages (when you click on the hyperlink in updater changelogs) that you would just experience crashes of that particular service.

These are the packages update and all changelogs have been combined below!!!!

Technical description
Package: libavahi-client3:i386
Avahi is a fully LGPL framework for Multicast DNS Service Discovery. It allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example you can plug into a network and instantly find printers to print to, files to look at and people to talk to.
This package contains the library for Avahi's C API which
allows you to integrate mDNS/DNS-SD functionality into your application.

Changes for libavahi-client3:i386 versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for libavahi-common3:i386 versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for libavahi-client3 versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for libavahi-common-data versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for libavahi-common3 versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for libavahi-glib1 versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for libavahi-ui-gtk3-0 versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for avahi-daemon versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Changes for libavahi-core7 versions:
Installed version: 0.8-13ubuntu6
Available version: 0.8-13ubuntu6.1

Version 0.8-13ubuntu6.1:

  • SECURITY UPDATE: Denial of service when creating a record browser.
    • debian/patches/CVE-2025-68276.patch: Add AVAHI_LOOKUP_USE_WIDE_AREA and
      wide area use check in avahi-core/browse.c.
    • CVE-2025-68276
  • SECURITY UPDATE: Denial of service after CNAME expiration.
    • debian/patches/CVE-2025-68468.patch: Remove assert in
      avahi-core/browse.c.
    • CVE-2025-68468
  • SECURITY UPDATE: Denial of service on receiving CNAME resource records.
    • debian/patches/CVE-2025-68471.patch: Change assert to return on
      wide_area check in avahi-core/browse.c.
    • CVE-2025-68471

Howdy folks another security focused update:

Package: libglib2.0-0t64:i386
GLib is a library containing many useful C routines for things such as trees, hashes, lists, and strings.
It is a useful general-purpose C library used by projects such as GTK+, GIMP, and GNOME.
This package contains the shared libraries.

Changes for libglib2.0-0t64:i386 versions:
Installed version: 2.80.0-6ubuntu3.6
Available version: 2.80.0-6ubuntu3.7

Version 2.80.0-6ubuntu3.7: 

  * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()
    - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow
      in peek() in gio/gbufferedinputstream.c,
      gio/tests/buffered-input-stream.c.
    - CVE-2026-0988

Common files for GLib library

Package: libglib2.0-data
GLib is a library containing many useful C routines for things such as trees, hashes, lists, and strings.
It is a useful general-purpose C library used by projects such as GTK+, GIMP, and GNOME.
This package is needed for the runtime libraries to display messages in languages other than English.

Changes for libglib2.0-data versions:
Installed version: 2.80.0-6ubuntu3.6
Available version: 2.80.0-6ubuntu3.7

Version 2.80.0-6ubuntu3.7: 

  * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()
    - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow
      in peek() in gio/gbufferedinputstream.c,
      gio/tests/buffered-input-stream.c.
    - CVE-2026-0988

GLib library of c routines

Package: libglib2.0-0t64
GLib is a library containing many useful C routines for things such as trees, hashes, lists, and strings.
It is a useful general-purpose C library used by projects such as GTK+, GIMP, and GNOME.
This package contains the shared libraries.

Changes for libglib2.0-0t64 versions:
Installed version: 2.80.0-6ubuntu3.6
Available version: 2.80.0-6ubuntu3.7

Version 2.80.0-6ubuntu3.7: 

  * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()
    - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow
      in peek() in gio/gbufferedinputstream.c,
      gio/tests/buffered-input-stream.c.
    - CVE-2026-0988

Introspection data for GLib GObject Gio and Gmodule

Package: gir1.2-glib-2.0
GObject Introspection is a project for providing machine readable introspection data of the API of C libraries. This introspection data can be used in several different use cases, for example automatic code generation for bindings, API verification and documentation generation.
This package contains the introspection data for the GLib, GObject, GModule and Gio libraries, in the typelib format used to generate bindings for dynamic languages like JavaScript and Python.

Changes for gir1.2-glib-2.0 versions:
Installed version: 2.80.0-6ubuntu3.6
Available version: 2.80.0-6ubuntu3.7

Version 2.80.0-6ubuntu3.7: 

  * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()
    - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow
      in peek() in gio/gbufferedinputstream.c,
      gio/tests/buffered-input-stream.c.
    - CVE-2026-0988```

> Program for Glib library

```Technical description
Package: libglib2.0-bin
GLib is a library containing many useful C routines for things such as trees, hashes, lists, and strings.
It is a useful general-purpose C library used by projects such as GTK+, GIMP, and GNOME.
This package contains the program files which is used for the libraries and others.

Changes for libglib2.0-bin versions:
Installed version: 2.80.0-6ubuntu3.6
Available version: 2.80.0-6ubuntu3.7

Version 2.80.0-6ubuntu3.7: 

  * SECURITY UPDATE: Integer overflow in g_buffered_input_stream_peek()
    - debian/patches/CVE-2026-0988.patch: fix a potential integer overflow
      in peek() in gio/gbufferedinputstream.c,
      gio/tests/buffered-input-stream.c.
    - CVE-2026-0988

This particular update targets this CVE:
https://www.cve.org/CVERecord?id=CVE-2026-0988

which is an integer overflow leading to potential app crashes.
[This was identified by RedHat]