[ { "id": "2040467", "description": "This bug tracks an update for the OpenVPN package, moving to versions:\n\n* Plucky (25.04): OpenVPN 2.6.14\n* Oracular (24.10): OpenVPN 2.6.14\n* Noble (24.04): OpenVPN 2.6.14\n* Jammy (22.04): OpenVPN 2.5.11\n\nThis update includes bugfixes following the SRU policy exception defined at https://wiki.ubuntu.com/OpenVPNUpdates. Note that OpenVPN does not have an accepted exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html\n\n[Upstream Changes]\n\n2.6.13-2.6.14\n\nUpdates:\n\nSend uname() release from client to server as IV_PLAT_VER=\nPass --timeout=0 argument to systemd-ask-password, to avoid default timeout of 90 seconds\n\nBug Fixes:\n\nRepair source IP selection for --multihome\nAllow tls-crypt-v2 to be setup only on initial packet of a session to fix internal server error\nFix some missing spaces in messages\nFix parsing of usernames or passwords longer than USER_PASS_LEN on the server side to avoid IV variable misparsing and misleading errors\nPurge proxy authentication credentials from memory after use (if --auth-nocache is in use)\n\nCVE Fix - already available as patch:\n\nCVE-2025-2704\n\nThe upstream changelog is available at https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26\n\n[Test Plan]\n\nDEP-8 Tests:\nserver-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority\nserver-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication\n\nSee https://wiki.ubuntu.com/OpenVPNUpdates#QA for additional testing information.\n\n[Regression Potential]\n\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.\n\nBackwards-incompatible changes:\n\nRefuse clients if username or password is longer than USER_PASS_LEN - https://github.com/OpenVPN/openvpn/commit/b98ff0e7c60c6592a2e8d2c80dfd5999e5d2e65b\nOverly long usernames and/or passwords are now refused by the server which is backwards incompatible from previous versions when they were accepted. However, when they were accepted, the rest of the packet was read improperly and would not work as intended, likely returning a misleading error.\n\n[Other Info]\n\nPrevious backports:\n(LP: #2004676)\n(LP: #2073318)", "date_last_updated": "Wed Jul 16 15:37:25 2025", "title": "Backport upstream microreleases for questing cycle", "source_package_name": "openvpn", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.07", "status": "done", "importance": "Undecided", "date_created": "Wed Oct 25 08:31:51 2023", "date_assigned": "Wed Feb 21 16:24:23 2024", "date_fix_released": "Tue Jun 3 13:45:41 2025", "date_data_refreshed": "Mon Apr 6 15:36:51 2026" }, { "id": "2067480", "description": "23.11.1 for Oracular is in -proposed and nearly to be completed. Therefore the MREs for plucky, oracular, noble and jammy can be handled now (Oracular EOL will occur at the end of July, so we're trying to update it before it happens, but it might be optional at the end).\n\nThis bug tracks an update for the DPDK packages in:\n- plucky 24.11.1 -> 24.11.2\n- Oracular 23.11.2 -> 23.11.4\n- Noble 23.11 -> 23.11.4\n- Jammy 21.11.6 -> 21.11.9\n\nThis update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/StableReleaseUpdates/DPDK.\n\nNo new features added; a classic stable release with a bunch of fixes aggregated and enhanced testing by the companies being part of the DPDK community.\n\n[Impact]\n\nStable release update so not directly applicable; see the exception policy document linked above.\nFor Reference - former cases are here:\n- https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1784816\n- https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1817675\n- https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1836365\n- https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1912464\n- https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/1940913\n- https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/2002404\n- https://bugs.launchpad.net/ubuntu/+source/dpdk/+bug/2026351\n\n[Major Changes]\n\nListed by upstream in detail\n\nPlucky - 24.11.2:\nhttps://doc.dpdk.org/guides-24.11/rel_notes/release_24_11.html#id3\n\nOracular - 23.11.4:\nhttps://doc.dpdk.org/guides-23.11/rel_notes/release_23_11.html#id9\n\nNoble - 23.11.4:\nhttps://doc.dpdk.org/guides-23.11/rel_notes/release_23_11.html#id9\n\nJammy - 21.11.9:\nhttps://doc.dpdk.org/guides-21.11/rel_notes/release_21_11.html#id32\n\n[Test Plan]\n\nSee https://wiki.ubuntu.com/StableReleaseUpdates/DPDK#SRU_TestVerify\n\n[Regression Potential]\n\nUpstream performs extensive testing before release, giving us a high degree of confidence in the general case. There problems are most likely to manifest in Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.\nTherefore that is what our verification focuses on.", "date_last_updated": "Tue Sep 23 09:47:52 2025", "title": "MRE updates of dpdk 23.11.4(Noble)/21.11.9(Jammy)/23.11.4(oracular)/24.11.2(plucky)", "source_package_name": "dpdk", "potential_assignee": "", "assignee": "paelzer", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.09", "status": "done", "importance": "Undecided", "date_created": "Wed May 29 13:31:02 2024", "date_assigned": "Wed May 14 10:29:15 2025", "date_fix_released": "Thu Jul 3 10:42:21 2025", "date_data_refreshed": "Mon Apr 6 15:36:59 2026" }, { "id": "2068021", "description": "[Impact]\nThis release contains both bug-fixes and new features and we would like to\nmake sure all of our supported customers have access to these improvements.\nThe notable ones are:\n\n * 2.11.1.4 [ https://github.com/Azure/WALinuxAgent/releases/tag/v2.11.1.4 ]:\n\n * 2.10.0.8 [ https://github.com/Azure/WALinuxAgent/releases/tag/v2.10.0.8 ]:\n\n\nSee the changelog entry below for a full list of changes and bugs. (TBD)\n\n[Test Case]\nThe following development and SRU process was followed:\nhttps://wiki.ubuntu.com/walinuxagentUpdates\n\nThe Microsoft Azure Linux Agent team will execute their testsuite, which\nincludes extension testing , against the walinuxagent that is in\n-proposed. A successful run will be required before the proposed walinuxagent\ncan be let into -updates.\n\nThe CPC team will be in charge of attaching a summary of testing to the bug. CPC team members will not\nmark ‘verification-done’ until this has happened.", "date_last_updated": "Tue Jun 24 04:48:23 2025", "title": "MRE updates of walinuxagent 2.11.1.4 into N/J/F", "source_package_name": "walinuxagent", "potential_assignee": "", "assignee": "mirespace", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-24.08", "status": "no-merge-needed", "importance": "Undecided", "date_created": "Tue Jun 4 11:40:55 2024", "date_assigned": "Tue Jun 4 11:40:55 2024", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:37:06 2026" }, { "id": "2073310", "description": "This bug tracks an update for the bind9 package, moving to versions:\n\n* Noble (24.04): bind9 9.18.30\n* Jammy (22.04): bind9 9.18.30\n* Focal (20.04): bind9 9.18.30\n\nThese updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/Bind9Updates.\n\n[Upstream changes]\n\nChanges from 9.18.28 - 9.18.30 include:\n\nFeatures:\n\nPrint initial working directory during named startup, and changed working directory when loading or reloading the configuration file\nAdd max-query-restarts configuration statement\n\n\nUpdates:\n\nRestrain named to specified number of cores when running via taskset, cpuset, or numactl\nReduce default max-recursion-queries value from 100 to 32\nRaise the log level of priming failures\n\nBug fixes:\n\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4855 - Fix privacy verification of EDDSA keys\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4878 - Fix algorithm rollover bug when there are two keys with the same keytag\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4449 - Return SERVFAIL for a too long CNAME chain\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4733 - Reconfigure catz member zones during named reconfiguration\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4677 - Update key lifetime and metadata after dnssec-policy reconfiguration\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4766 - Fix generation of 6to4-self name expansion from IPv4 address\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4796 - Fix invalid dig +yaml output\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4775 - Reject zero-length ALPN during SVBC ALPN text parsing\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4784 - Fix false QNAME minimisation error being reported\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4806 - Fix dig +timeout argument when using +https\n\n\nFull release notes available here - https://bind9.readthedocs.io/en/v9.18.30/notes.html\n\n[Test Plan]\n\nDEP-8 Tests:\n\nsimpletest - Confirms bind9 daemon starts successfully and dig can find 127.0.0.1 through the default setup of bind9\n\nzonetest - Added in this update, currently in lunar. Confirms the functionality of named and bind9 by creating a local DNS zone and domain, and having dig look it up\n\ndyndb-ldap - Verifies functionality of bind-dyndb-ldap against the updated bind9 package with a basic setup. This also fails intentionally prior to bind-dyndb-ldap being rebuilt against the package, as this is a necessary step for bind9 updates.\n\nvalidation - This test is provided by Debian and consistently fails both before and after the update due to several issues. It is marked as flaky, and does not block autopkgtest passing overall\n\n[Regression Potential]\n\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. Alternatively, regressions may arise for users due to behavior changes from the many bug fixes and minor feature updates.", "date_last_updated": "Wed Apr 23 13:57:42 2025", "title": "Backport of bind9 for focal, jammy and noble", "source_package_name": "bind-dyndb-ldap", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-24.09", "status": "done", "importance": "Undecided", "date_created": "Mon Sep 23 13:56:23 2024", "date_assigned": "Mon Sep 23 13:57:04 2024", "date_fix_released": "Wed Apr 23 13:57:37 2025", "date_data_refreshed": "Mon Apr 6 15:37:31 2026" }, { "id": "2073312", "description": "Backport container-stack to focal, jammy and noble once the update for oracular has been completed.\n\n\n\n[Impact]\nTBD\n\n[Major Changes]\nTBD\n\n[Test Plan]\nTBD\n\n[Regression Potential]\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.\n\n\n", "date_last_updated": "Wed Aug 28 15:39:16 2024", "title": "Backport of container-stack for focal, jammy and noble", "source_package_name": "runc-app", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "", "status": "", "importance": "Undecided", "date_created": "Wed Aug 28 15:37:55 2024", "date_assigned": null, "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:37:19 2026" }, { "id": "2073316", "description": "Backport openldap to focal, jammy and noble once the update for oracular has been completed.\n\n\n\n[Impact]\nTBD\n\n[Major Changes]\nTBD\n\n[Test Plan]\nTBD\n\n[Regression Potential]\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.\n\n\n", "date_last_updated": "Wed Sep 4 15:24:38 2024", "title": "Backport of openldap for Jammy", "source_package_name": "openldap", "potential_assignee": "", "assignee": "sergiodj", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-24.08", "status": "", "importance": "Wishlist", "date_created": "Tue Jul 16 23:59:32 2024", "date_assigned": "Wed Aug 28 15:45:07 2024", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:09 2026" }, { "id": "2073317", "description": "Backport open-vm-tools to noble once the update for oracular has been completed.\n\njammy: 2:12.3.5-3~ubuntu0.22.04.1 -> 2:12.4.5-1ubuntu0.22.04.1\nnoble: 2:12.3.5-5build3 -> 2:12.4.5-1ubuntu0.24.04.1\n\nStable release exception: https://wiki.ubuntu.com/StableReleaseUpdates#open-vm-tools\n\n[Impact]\n * Without SRUing the never version users get issues running on more\n   recent hypervisors.\n\n * This is not backporting a single fix, nor an MRE, but backporting the\n   version of a latter Ubuntu release for platform enablement.\n\n * See https://wiki.ubuntu.com/OpenVMToolsUpdates for more details\n\n[Test Plan]\n * VMWare QA Team does the qualification of these uploads as we don't have\n   a matrix of Host versions for that around. Once made available in -proposed\n   and passing build time tests the Server team will reach out to VMware to to\n   run their verification harness against the new build and confirming that\n   with a statement on the bug.\n\n * As an additional safety net we want to keep this in -proposed longer\n   than usual, suggesting >=14 days.\n\n[ Where problems could occur ]\n\n * It is a full new version which might contain new issues, but also\n   new fixes and we've had cases where this brought CVE coverage before\n   we needed backports for those. Still, worst you'd expect all that you\n   expect on a release-upgrade like deprecated features gone, handling\n   configuration differently or in general behaving differently by adding\n   (even wanted) new features.\n   Gladly the toolset has proven to be very stable at all that.\n\n[ Other Info ]\n\n * Mostly regressions seen on those backports would be the same as seen on\n   an upgrade to a new Ubuntu version with the new version of open-vm-tools.\n   Hence, unless other reasons like a former delay or an urgent need\n   cause a change, we try to do this early in the Ubuntu cycle backporting\n   the version released just recently.\n   For example the version that will go out with 24.10 is expected to be\n   proposed for 24.04 shortly, but after 24.10 is released so that we'd have\n   a chance to pick those regression reports up.\n\n[Other Info]\n * This is a practice for quite a while (more than five years now), see:\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1998558\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1975767\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1933143\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1741390\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1784638\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1813944\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1822204\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1844834\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1868012\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1877672\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1892266\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1911831\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/2028420", "date_last_updated": "Thu Sep 19 12:04:53 2024", "title": "Backport of open-vm-tools 12.4.5 to noble", "source_package_name": "open-vm-tools", "potential_assignee": "", "assignee": "bryce", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-24.10", "status": "done", "importance": "Wishlist", "date_created": "Tue Jul 16 23:59:45 2024", "date_assigned": "Wed Jul 17 03:57:23 2024", "date_fix_released": "Wed Aug 21 07:37:13 2024", "date_data_refreshed": "Mon Apr 6 15:32:12 2026" }, { "id": "2073318", "description": "This bug tracks an update for the OpenVPN package, moving to versions:\n\n* Noble (24.04): openvpn 2.6.12\n* Jammy (22.04): openvpn 2.5.11\n\nThese updates include bug fixes following the SRU policy exception defined at https://wiki.ubuntu.com/OpenVPNUpdates.\n\nNote that openvpn does not have an accepted micro-release exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html\n\n[Upstream changes]\n\nChanges from 2.6.9 to 2.6.12 include:\n\nCVE Fixes:\n\nCVE-2024-4877\nCVE-2024-5594\nCVE-2024-28882\nCVE-2024-27459\nCVE-2024-24974\nCVE-2024-27903\n\nUpdates:\n\nAllow trailing \\r and \\n in control channel message\nImplement --server-poll-timeout on SOCKS proxies\nImplement Windows CA template match for Crypto-API selector\nUpdate sample configuration files\nUpdate systemd unit file documentation references\nRemove After=syslog.target in suggested systemd service files\n\nBug Fixes:\n\nFix issue with proxy credentials caching\nFix LibreSSL crashing when enumerating digests/cipher with workaround\nUse snprintf instead of sprintf for get_ssl_library_version\nFix disabling DCO when proxy is set via management interface\n\nLooking through each commit from the release of 2.6.9 to 2.6.12, I could not find any backwards-incompatible changes. There are minor changes to the user experience though. As listed in the updates section, --server-poll-timeout now works for SOCKS proxies. Some documentation has changed too. None of the commits should affect existing configurations though.\n\nFull release notes for versions 2.6.9-2.6.12: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26\n\nChanges from 2.5.9 to 2.5.11 include:\n\nCVE-2024-5594\nCVE-2024-27459\nCVE-2024-24974\nCVE-2024-27903\n\nUpdates:\n\nAllow trailing \\r and \\n in control channel message\n\n2.5.x updates are less common, focusing on CVE fixes. Going commit by commit here, no backwards-incompatible changes exist.\n\nFull release notes for versions 2.5.9-2.5.11: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25\n\n[Test Plan]\n\nDEP-8 Tests:\nserver-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority\nserver-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication\n\n[Regression Potential]\n\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations. This would most likely include the change of behavior for --server-poll-timeout and allowing \\r and \\n in control channel messages.", "date_last_updated": "Tue Oct 22 21:04:14 2024", "title": "Backport of openvpn for jammy and noble", "source_package_name": "openvpn", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-24.09", "status": "done", "importance": "Wishlist", "date_created": "Wed Jul 17 00:00:15 2024", "date_assigned": "Fri Jul 19 02:26:32 2024", "date_fix_released": "Tue Oct 22 21:04:12 2024", "date_data_refreshed": "Mon Apr 6 15:32:14 2026" }, { "id": "2073322", "description": "Apart from the oracular update, which will not require a FFe since there are no features being introduced here (see the upstream changes section below), this bug tracks the following MRE updates for the Squid package:\n\n    noble (22.04): Squid 6.10\n\nThis update includes bugfixes following the SRU policy exception defined at https://wiki.ubuntu.com/SquidUpdates.\n\n[Upstream changes]\n\nhttps://www.squid-cache.org/Versions/v6/squid-6.10-RELEASENOTES.html\n\nThe only relevant hunk in a diff from version 6.6 to 6.10 for the upstream \"release notes\" file (doc/release-notes/release-6.html) is\n\n-

No ./configure options have been changed.

\n+
--disable-esi
\n+

The ESI feature is now disabled by default.\n+Use --enable-esi if needed.

\n\nWhich, if applied, would introduce a feature/behavior change here. However, this we already have an \"--enable-esi\" entry in d/rules in the current noble (and oracualar) versions.\n\nThe complete set of changes together with a comprehensive changelog is available at https://github.com/squid-cache/squid/compare/SQUID_6_6..SQUID_6_10.\n\n[Test Plan]\n\nLink the build log containing all tests being executed: https://launchpadlibrarian.net/748286177/buildlog_ubuntu-noble-amd64.squid_6.10-0ubuntu0.24.04.1~ppa1_BUILDING.txt.gz\n\nAll tests are passing during build time, as shown in the build log (builds would fail otherwise, see LP: #2004050).\n\nResults of local autopkgtest run against all the new Squid versions being uploaded here:\n\n - squid/6.10-0ubuntu0.24.04.1~ppa1\n + ✅ squid on noble for amd64 @ 10.09.24 14:02:43 Log️ 🗒️\n + ✅ squid on noble for arm64 @ 10.09.24 14:06:07 Log️ 🗒️\n + ✅ squid on noble for ppc64el @ 10.09.24 14:05:36 Log️ 🗒️\n + ✅ squid on noble for s390x @ 10.09.24 14:01:18 Log️ 🗒️\n\nran with ppa-dev-tools for build in https://launchpad.net/~athos-ribeiro/+archive/ubuntu/squid-mre/+packages\n\n[Regression Potential]\n\nUpstream tests are always executed during build-time. Failures would prevent builds from succeeding.\n\nSquid does not have many reverse dependencies. However, any upgrade is a risk to introduce breakage to other packages. Whenever a regression occurs in autopkgtests, we will investigate and provide fixes.\n\n[Other Info]\n\nNo CVEs are being addressed this time (the ones fixed in between 6.6 and 6.10 are already fixed in noble's security pocket). Therefore, this should go through the updates pockets.\n\nPrevious squid MREs:\n\n- https://pad.lv/2013423\n- https://pad.lv/2040470", "date_last_updated": "Thu Jan 9 20:59:29 2025", "title": "Upstream microrelease 6.10", "source_package_name": "squid", "potential_assignee": "", "assignee": "rr", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-24.08", "status": "done", "importance": "Wishlist", "date_created": "Wed Jul 17 01:25:21 2024", "date_assigned": "Wed Aug 28 15:34:05 2024", "date_fix_released": "Fri Sep 13 03:49:12 2024", "date_data_refreshed": "Mon Apr 6 15:32:15 2026" }, { "id": "2076183", "description": "[Impact]\n\n * MRE for latest stable fixes of Postgres 12, 14, and 16 released on August 2024.\n\n[Test Case]\n\n * The Postgres MREs traditionally rely on the large set of autopkgtests\n   to run for verification. In a PPA, those are all already pre-checked to\n   be good for this upload.\n\n[Regression Potential]\n\n * Upstream tests are usually great and in addition in the Archive there\n   are plenty of autopkgtests that in the past caught issues before being\n   released.\n   But nevertheless there always is a risk for something to break. Since\n   these are general stable releases I can't pinpoint them to a most-likely area.\n   - usually this works smoothly except a few test hiccups (flaky) that need to be clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)\n\n[Other Info]\n\n * This is a reoccurring MRE, see below and all the references\n * CVEs addressed by this MRE:\n  - CVE-2024-7348\n\nCurrent versions in supported releases that got updates:\n\n postgresql-12 | 12.19-0ubuntu0.20.04.1 | focal-updates | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-14 | 14.12-0ubuntu0.22.04.1 | jammy-updates | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.3-0ubuntu0.24.04.1 | noble-updates | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n\nSpecial cases:\n- Since there is 1 CVE being fixed here, we will push these MREs through the security pocket.\n- Oracular will sync from Debian\n\nStanding MRE - Consider last updates as template:\n\n- https://pad.lv/1637236\n- https://pad.lv/1664478\n- https://pad.lv/1690730\n- https://pad.lv/1713979\n- https://pad.lv/1730661\n- https://pad.lv/1747676\n- https://pad.lv/1752271\n- https://pad.lv/1786938\n- https://pad.lv/1815665\n- https://pad.lv/1828012\n- https://pad.lv/1833211\n- https://pad.lv/1839058\n- https://pad.lv/1863108\n- https://pad.lv/1892335\n- https://pad.lv/1915254\n- https://pad.lv/1928773\n- https://pad.lv/1939396\n- https://pad.lv/1950268\n- https://pad.lv/1961127\n- https://pad.lv/1973627\n- https://pad.lv/1978249\n- https://pad.lv/1984012\n- https://pad.lv/1996770\n- https://pad.lv/2006406\n- https://pad.lv/2019214\n- https://pad.lv/2028426\n- https://pad.lv/2040469\n- https://pad.lv/2067388\n\nAs usual we test and prep from the PPA and then push through SRU/Security as applicable.\n\nOnce ready, the test packages should be available at https://launchpad.net/~canonical-server/+archive/ubuntu/postgresql-sru-preparation/+packages", "date_last_updated": "Mon Aug 19 14:51:39 2024", "title": "New upstream microreleases 12.20, 14.13, and 16.4", "source_package_name": "postgresql-16", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "", "status": "", "importance": "Undecided", "date_created": "Tue Aug 6 17:48:19 2024", "date_assigned": null, "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:37:13 2026" }, { "id": "2085186", "description": "Backports of bind9 once the update for plucky has been completed.\n\n\n\n[Impact]\nTBD\n\n[Major Changes]\nTBD\n\n[Test Plan]\nTBD\n\n[Regression Potential]\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.\n", "date_last_updated": "Mon Jan 19 11:25:33 2026", "title": "Backport of bind9 from plucky", "source_package_name": "bind9", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.02", "status": "new", "importance": "Wishlist", "date_created": "Tue Oct 22 01:38:58 2024", "date_assigned": "Tue Oct 22 15:10:44 2024", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:17 2026" }, { "id": "2085187", "description": "[Impact]\n\nIn order to follow our policy on keeping the container stack (docker.io-app, containerd-app, runc, runc-app, docker-buildx, and docker-compose-v2) up-to-date in our supported releases, let's backport the stack in Plucky to Oracular, Noble, Jammy, and Focal.\n\n[Test Plan]\n\nPer https://wiki.ubuntu.com/DockerUpdates, our test case is the autopkgtests.\n\nAll packages were built in https://launchpad.net/~athos-ribeiro/+archive/ubuntu/container-stack-pp/+packages.\n\nApart from runc-app, all packages are failing their autopkgtest runs in our infrastructure due to the dockerhub pull rate limits. For those (docker.io-app, containerd-app, docker-buildx, and docker-compose-v2), we ran the autopkgtest suite locally. All tests are passing.\n\n[Where problems could occur]\n\nAs usual, we deliver most benefit to our users by delivering an upstream experience. A risk of regressions is part of that.\n\n[Past MREs]\n\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2040461\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2040460", "date_last_updated": "Tue Jun 3 13:03:18 2025", "title": "Backport of container-stack for plucky", "source_package_name": "runc-app", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "", "status": "done", "importance": "Undecided", "date_created": "Wed May 21 16:54:14 2025", "date_assigned": null, "date_fix_released": "Wed May 21 16:56:08 2025", "date_data_refreshed": "Mon Apr 6 15:37:56 2026" }, { "id": "2085192", "description": "[Impact]\n\nMRE for the latest stable OpenLDAP 2.5.x release, 2.5.19.\n\nThis update includes bugfixes only following the SRU policy exception defined at https://wiki.ubuntu.com/OpenLDAPUpdates.\n\n[Major Changes]\n\nSee the list of bugs fixed in this release here:\n\nhttps://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/7KZAKDA6JVNDFXF4L4T5EPAXTWNAWRW3/\n\n[Test Plan]\n\n1. Upstream gitlab pipeline results:\n\nhttps://git.openldap.org/openldap/openldap/-/commit/923ed40c391af61cd2da0797c254bae749e4da50/pipelines\n\n2. Upstream \"call for testing\":\n\nhttps://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/4W7ZAJVX72IV3YGIGINH45HVBBD5KCAC/\n\n3. As described in the MRE wiki page for OpenLDAP, the test plan is to build the package in a PPA and make sure that (a) all build-time tests pass and (b) all autopkgtest runs (from reverse dependencies) also pass.\n\n* Build log (amd64) confirming that the build-time testsuite has been performed and completed successfully:\n  - https://launchpadlibrarian.net/789184901/buildlog_ubuntu-jammy-amd64.openldap_2.5.19+dfsg-0ubuntu0.22.04.1_BUILDING.txt.gz\n\n* Test results:\n - openldap: jammy/openldap/2.5.19+dfsg-0ubuntu0.22.04.1 [amd64]\n + ✅ openldap on jammy for amd64 @ 22.04.25 07:14:56 Log️ 🗒️\n - openldap: jammy/openldap/2.5.19+dfsg-0ubuntu0.22.04.1 [arm64]\n + ✅ openldap on jammy for arm64 @ 22.04.25 07:15:18 Log️ 🗒️\n - openldap: jammy/openldap/2.5.19+dfsg-0ubuntu0.22.04.1 [armhf]\n + ✅ openldap on jammy for armhf @ 22.04.25 07:18:34 Log️ 🗒️\n - openldap: jammy/openldap/2.5.19+dfsg-0ubuntu0.22.04.1 [i386]\n + ❌ openldap on jammy for i386 @ 22.04.25 07:35:04 Log️ 🗒️\n • slapd FAIL 🟥\n • smbk5pwd FAIL 🟥\n • sha2-contrib FAIL 🟥\n - openldap: jammy/openldap/2.5.19+dfsg-0ubuntu0.22.04.1 [ppc64el]\n + ✅ openldap on jammy for ppc64el @ 22.04.25 07:16:55 Log️ 🗒️\n - openldap: jammy/openldap/2.5.19+dfsg-0ubuntu0.22.04.1 [riscv64]\n + ⛔ openldap on jammy for riscv64 @ 22.04.25 08:52:12 Log️ 🗒️\n • testbed BAD ⛔\n - openldap: jammy/openldap/2.5.19+dfsg-0ubuntu0.22.04.1 [s390x]\n + ✅ openldap on jammy for s390x @ 22.04.25 07:16:01 Log️ 🗒️\n\nriscv64 is a new architecture, and i386 is a semi-obsolete one so their test failures are probably not relevant to the validity of this backport.\n\n[Where problems could occur]\nUpstream tests are always executed during build-time. There are many reverse dependencies whose dep8 tests depend on OpenLDAP so the coverage is good. Nevertheless, there is always a risk for something to break since we are dealing with a microrelease upgrade. Whenever a test failure is detected, we will be on top of it and make sure it doesn't affect existing users.\n\n[Other Info]\n\nThis is a reoccurring MRE. See below for links to previous OpenLDAP MREs.\n\n * CVEs fixed by this release:\n   - None.\n\nCurrent versions in supported releases that got updates:\n  openldap | 2.5.16+dfsg-0ubuntu0.22.04.2 | jammy-security\n  openldap | 2.5.18+dfsg-0ubuntu0.22.04.3 | jammy-updates\n\nSpecial cases:\n- None.\n\nPrevious MREs for OpenLDAP:\n- https://pad.lv/1977627\n- https://pad.lv/1983618\n- https://pad.lv/2007625\n- https://pad.lv/2027079\n- https://pad.lv/2029170\n- https://pad.lv/2040465\n- https://pad.lv/2067745\n\nAs usual we test and prep from the PPA and then push through SRU/Security as applicable.", "date_last_updated": "Sat Jul 5 03:16:34 2025", "title": "Backport new upstream microrelease openldap 2.5.19 to jammy", "source_package_name": "openldap", "potential_assignee": "", "assignee": "bryce", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.02", "status": "done", "importance": "High", "date_created": "Tue Oct 22 01:40:01 2024", "date_assigned": "Fri Mar 14 21:21:15 2025", "date_fix_released": "Wed May 14 07:39:48 2025", "date_data_refreshed": "Mon Apr 6 15:31:59 2026" }, { "id": "2085193", "description": "Backport open-vm-tools to plucky once the update for plucky has been completed.\n\n\n\n[Impact]\nTBD\n\n[Major Changes]\nTBD\n\n[Test Plan]\nTBD\n\n[Regression Potential]\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.\n\n\n", "date_last_updated": "Mon May 12 06:32:42 2025", "title": "Backport of open-vm-tools for plucky", "source_package_name": "open-vm-tools", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.03", "status": "no-merge-needed", "importance": "Wishlist", "date_created": "Tue Oct 22 01:40:12 2024", "date_assigned": null, "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:23 2026" }, { "id": "2085194", "description": "Backport openvpn to plucky once the update for plucky has been completed.\n\n\n\n[Impact]\nTBD\n\n[Major Changes]\nTBD\n\n[Test Plan]\nTBD\n\n[Regression Potential]\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations, such as in relation to the versions of dependencies available and other packaging-specific matters.\n\n\n", "date_last_updated": "Mon Jan 19 11:25:51 2026", "title": "Backport of openvpn for plucky", "source_package_name": "openvpn", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.02", "status": "new", "importance": "Wishlist", "date_created": "Tue Oct 22 01:40:24 2024", "date_assigned": "Tue Oct 22 15:10:34 2024", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:26 2026" }, { "id": "2085196", "description": "[Impact]\n\n * MRE for latest stable fixes of Postgres 12, 14, and 16 released on November 2024.\n\n[Test Case]\n\n * The Postgres MREs traditionally rely on the large set of autopkgtests\n to run for verification. In a PPA, those are all already pre-checked to\n be good for this upload.\n\n[Regression Potential]\n\n * Upstream tests are usually great and in addition in the Archive there\n are plenty of autopkgtests that in the past caught issues before being\n released.\n But nevertheless there always is a risk for something to break. Since\n these are general stable releases I can't pinpoint them to a most-likely area.\n - usually this works smoothly except a few test hiccups (flaky) that need to be clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)\n\n[Other Info]\n\n * This is a reoccurring MRE, see below and all the references\n * CVEs addressed by this MRE:\n - CVE-2024-10976\n - CVE-2024-10977\n - CVE-2024-10978\n - CVE-2024-10979\n\nCurrent versions in supported releases that got updates:\n\n postgresql-12 | 12.20-0ubuntu0.20.04.1 | focal-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-14 | 14.13-0ubuntu0.22.04.1 | jammy-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.4-0ubuntu0.24.04.2 | noble-updates | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.4-1build1 | oracular | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n\nSpecial cases:\n- Since there are 4 CVEs being fixed here, we will push these MREs through the security pocket.\n- Plucky will sync from Debian\n\nStanding MRE - Consider last updates as template:\n\n- https://pad.lv/1637236\n- https://pad.lv/1664478\n- https://pad.lv/1690730\n- https://pad.lv/1713979\n- https://pad.lv/1730661\n- https://pad.lv/1747676\n- https://pad.lv/1752271\n- https://pad.lv/1786938\n- https://pad.lv/1815665\n- https://pad.lv/1828012\n- https://pad.lv/1833211\n- https://pad.lv/1839058\n- https://pad.lv/1863108\n- https://pad.lv/1892335\n- https://pad.lv/1915254\n- https://pad.lv/1928773\n- https://pad.lv/1939396\n- https://pad.lv/1950268\n- https://pad.lv/1961127\n- https://pad.lv/1973627\n- https://pad.lv/1978249\n- https://pad.lv/1984012\n- https://pad.lv/1996770\n- https://pad.lv/2006406\n- https://pad.lv/2019214\n- https://pad.lv/2028426\n- https://pad.lv/2040469\n- https://pad.lv/2067388\n- https://pad.lv/2076183\n\nAs usual we test and prep from the PPA and then push through SRU/Security as applicable.\n\nOnce ready, the test packages should be available at https://launchpad.net/~canonical-server/+archive/ubuntu/postgresql-sru-preparation/+packages", "date_last_updated": "Mon Dec 2 12:19:07 2024", "title": "New PostgreSQL upstream microreleases 12.22, 14.15 and 16.6", "source_package_name": "postgresql-16", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-24.11", "status": "", "importance": "Wishlist", "date_created": "Tue Oct 22 01:40:55 2024", "date_assigned": null, "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:29 2026" }, { "id": "2085197", "description": "This bug tracks the following MRE updates for the Squid package:\n\n  noble (24.04): Squid 6.13\n  oracular (24.10): Squid 6.13\n\nThis update includes bugfixes following the SRU policy exception defined at https://wiki.ubuntu.com/SquidUpdates.\n\n[Upstream changes]\n\nhttps://github.com/squid-cache/squid/blob/master/ChangeLog\n(noble: 6.6 -> 6.10 -> 6.13); (oracular: 6.10 -> 6.13)\n\nNo new features, just bug fixes, docs, and codebase cleanups. Bug fixes include the following:\n\n - Bug 5352: Do not get stuck when RESPMOD is slower than read(2)\n - Bug 5405: Large uploads fill request buffer and die\n - Bug 5093: List http_port params that https_port/ftp_port lack\n - Bug 5311: clarify configuration byte units\n - Bug 5091: document that changes to workers require restart\n - Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]\n - Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos\n - Nil request dereference in ACLExtUser and SourceDomainCheck ACLs\n - Fix systemd startup sequence to require active Local Filesystem\n - ext_time_quota_acl: remove -l option\n - Fix validation of Digest auth header parameters\n - Improve robustness of DNS code on reconfigure\n - Prevent slow memory leak in TCP DNS queries\n - Improve errors emitted when invalid ACLs are parsed\n\next_time_quota_acl is an external acl helper for usage quotas. The -l flag permitted logging to a file, and was dropped to facilitate a rewrite of ext_time_quota_acl into C++. Upstream's recommendation for users of this functionality is to emulate it using shell redirection. (See https://github.com/squid-cache/squid/pull/1872)\n\n[Test Plan]\n\nLink the build log containing all tests being executed: \nhttps://launchpadlibrarian.net/790377113/buildlog_ubuntu-oracular-amd64.squid_6.13-0ubuntu0.24.10.1~oracular1_BUILDING.txt.gz\n\n PASS: syntheticoperators\n PASS: splay\n PASS: mem_node_test\n PASS: VirtualDeleteOperator\n PASS: mem_hdr_test\n PASS: ESIExpressions\n ============================================================================\n Testsuite summary for Squid Web Proxy 6.13\n ============================================================================\n # TOTAL: 6\n # PASS: 6\n # SKIP: 0\n # XFAIL: 0\n # FAIL: 0\n # XPASS: 0\n # ERROR: 0\n\n(Other builds visible at https://launchpad.net/~bryce/+archive/ubuntu/squid-backport-lp2085197/+packages)\n\nAll tests are passing during build time, as shown in the build log (builds would fail otherwise, see LP: #2004050).\n\nResults of local autopkgtest run against all the new Squid versions being uploaded here:\n\nDEP8 tests:\n - squid: oracular/squid/6.13-0ubuntu0.24.10.1~oracular1\n + ✅ squid on oracular for amd64 @ 01.05.25 01:25:20 Log️ 🗒️\n + ✅ squid on oracular for arm64 @ 01.05.25 01:28:24 Log️ 🗒️\n + ✅ squid on oracular for ppc64el @ 01.05.25 01:27:53 Log️ 🗒️\n + ✅ squid on oracular for s390x @ 01.05.25 01:26:28 Log️ 🗒️\n + ❌ squid on oracular for armhf @ 01.05.25 01:28:11 Log️ 🗒️\n • upstream-test-suite PASS 🟩\n • squid FAIL 🟥\n + ❌ squid on oracular for i386 @ 01.05.25 01:17:26 Log️ 🗒️\n • upstream-test-suite FAIL 🟥\n • squid FAIL 🟥\n + ⛔ squid on oracular for riscv64 @ 01.05.25 02:42:09 Log️ 🗒️\n • testbed BAD ⛔\n\n* The armhf failure is same thing that already happens in production:\n - https://autopkgtest.ubuntu.com/packages/s/squid/oracular/armhf\n - Log mentions \"Access denied\" so is perhaps a platform problem?\n\n* The riscv64 architecture is relatively new and may not block migration.\n - There are no results in production for this architecture\n - https://autopkgtest.ubuntu.com/packages/s/squid/oracular/riscv64\n\n* The i386 architecture is semi-obsolescent, and production is also seeing\n fails, so presumably this is not a blocking issue either.\n - https://autopkgtest.ubuntu.com/packages/s/squid/oracular/i386\n\nRan with ppa-dev-tools for build in https://launchpad.net/~bryce/+archive/ubuntu/squid-backport-lp2085197\n\n[Regression Potential]\n\nUpstream tests are always executed during build-time. Failures would prevent builds from succeeding.\n\nSquid does not have many reverse dependencies. However, any upgrade is a risk to introduce breakage to other packages. Whenever a regression occurs in autopkgtests, we will investigate and provide fixes.\n\n[Other Info]\n\nNo CVEs are being addressed this time. Therefore, this should go through the updates pockets.\n\n[Previous squid MREs]\n\n* LP: #2013423 5.7 for Jammy\n* LP: #2040470 5.9 for Jammy\n* LP: #2073322 6.10 for Noble", "date_last_updated": "Wed Jul 16 19:48:08 2025", "title": "Backport MRE of squid 6.13 to noble", "source_package_name": "squid", "potential_assignee": "", "assignee": "bryce", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.02", "status": "done", "importance": "High", "date_created": "Tue Oct 22 01:41:13 2024", "date_assigned": "Tue Feb 25 01:50:04 2025", "date_fix_released": "Thu May 15 08:05:32 2025", "date_data_refreshed": "Mon Apr 6 15:32:01 2026" }, { "id": "2099900", "description": "[Impact]\n\n * MRE for latest stable fixes of Postgres 14 and 16 released on February 2025.\n\n[Test Case]\n\n * The Postgres MREs traditionally rely on the large set of autopkgtests\n   to run for verification. In a PPA, those are all already pre-checked to\n   be good for this upload.\n\n[Regression Potential]\n\n * Upstream tests are usually great and in addition in the Archive there\n   are plenty of autopkgtests that in the past caught issues before being\n   released.\n   But nevertheless there always is a risk for something to break. Since\n   these are general stable releases I can't pinpoint them to a most-likely area.\n   - usually this works smoothly except a few test hiccups (flaky) that need to be clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)\n\n[Other Info]\n\n * This is a reoccurring MRE, see below and all the references\n * CVEs addressed by this MRE:\n  - CVE-2025-1094\n\nCurrent versions in supported releases that got updates:\n\n postgresql-14 | 14.15-0ubuntu0.22.04.1 | jammy-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.6-0ubuntu0.24.04.1 | noble-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.6-0ubuntu0.24.10.1 | oracular-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n\nSpecial cases:\n- Since there is one CVE being fixed here, we will push these MREs through the security pocket.\n- Plucky alrady sync'd 17.4 with from Debian, which contains those fixes as well.\n\nStanding MRE - Consider last updates as template:\n\n- https://pad.lv/1637236\n- https://pad.lv/1664478\n- https://pad.lv/1690730\n- https://pad.lv/1713979\n- https://pad.lv/1730661\n- https://pad.lv/1747676\n- https://pad.lv/1752271\n- https://pad.lv/1786938\n- https://pad.lv/1815665\n- https://pad.lv/1828012\n- https://pad.lv/1833211\n- https://pad.lv/1839058\n- https://pad.lv/1863108\n- https://pad.lv/1892335\n- https://pad.lv/1915254\n- https://pad.lv/1928773\n- https://pad.lv/1939396\n- https://pad.lv/1950268\n- https://pad.lv/1961127\n- https://pad.lv/1973627\n- https://pad.lv/1978249\n- https://pad.lv/1984012\n- https://pad.lv/1996770\n- https://pad.lv/2006406\n- https://pad.lv/2019214\n- https://pad.lv/2028426\n- https://pad.lv/2040469\n- https://pad.lv/2067388\n- https://pad.lv/2076183\n- https://pad.lv/2085196\n\nAs usual we test and prep from the PPA and then push through SRU/Security as applicable.\n\nOnce ready, the test packages should be available at https://launchpad.net/~canonical-server/+archive/ubuntu/postgresql-sru-preparation/+packages", "date_last_updated": "Mon Mar 3 13:12:48 2025", "title": " New PostgreSQL upstream microreleases 14.17 and 16.8 ", "source_package_name": "postgresql-16", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "", "status": "", "importance": "Undecided", "date_created": "Mon Feb 24 14:23:12 2025", "date_assigned": null, "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:37:45 2026" }, { "id": "2112523", "description": "[Impact]\n\nIn order to follow our policy [1] on keeping the container stack\n(docker.io-app, containerd-app, runc, runc-app, docker-buildx, and\ndocker-compose-v2) up-to-date in our supported releases, we will backport\ndocker.io-app, docker-buildx, and docker-compose-v2 from questing to plucky, noble, and jammy. We will also update containerd-app to the newest version of the 1.7.x series to to avoid major disruptions as covered by the process described in [1].\nFinally, for runc-app we considered following the same conservative approach as the one for containerd-app, however, as described in the 1.3.0 release notes [2], there are no breaking changes other than an improvement on the mount-related error output. Therefore, we will also backport 1.3.0 in questing to all supported Ubuntu series.\n\nCVEs:\n\n- docker-buildx is fixing CVE-2025-0495 and therefore it should be pushed through the security pocket.\n\n[Test Plan]\n\nAs described in [1], our test case is the autopkgtests.\n\nAll packages were built in https://launchpad.net/~athos-ribeiro/+archive/ubuntu/container-stack-qq/+packages.\n\ncontainerd-app, runc-app, and docker.io-app autopkgtests ran successfully for all supported architectures (but riscv64) in the PPA linked above.\n\ndocker-buildx and docker-compose-v2 are failing their autopkgtest runs in our infrastructure due to the dockerhub pull rate limits. For those, we ran the autopkgtest suite locally. All tests are passing.\n\n[Where problems could occur]\n\nAs usual, we deliver most benefit to our users by delivering an upstream experience. A risk of regressions is part of that.\n\n[Past MREs]\n\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2040461\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2040460\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2085187\n\n[ References ]\n\n[1] https://documentation.ubuntu.com/sru/en/latest/reference/exception-Docker-Updates/\n[2] https://github.com/opencontainers/runc/releases/tag/v1.3.0", "date_last_updated": "Tue Oct 7 08:27:14 2025", "title": "Backport of container-stack from questing", "source_package_name": "runc-app", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "", "status": "done", "importance": "Undecided", "date_created": "Thu Sep 18 20:25:46 2025", "date_assigned": null, "date_fix_released": "Thu Sep 18 20:27:04 2025", "date_data_refreshed": "Mon Apr 6 15:38:17 2026" }, { "id": "2112525", "description": "[Impact]\n\nThis bug tracks the following MRE updates for the DPDK package:\n\n* \n\nSee https://core.dpdk.org/roadmap/\n\nThese updates are a best effort to only include bug fixes, following the\nSRU policy exception defined at\nhttps://wiki.ubuntu.com/StableReleaseUpdates/DPDK.\n\n\n[Major Changes]\n\n* \n - \n - \n\n\n[Test Plan]\n\nSee https://wiki.ubuntu.com/StableReleaseUpdates/DPDK#SRU_TestVerify\n\n\n\n\n[Regression Potential]\n\nUpstream performs extensive testing before release, giving us a high\ndegree of confidence in the general case. There problems are most likely\nto manifest in Ubuntu-specific integrations, such as in relation to the\nversions of dependencies available and other packaging-specific matters.\nTherefore that is what our verification focuses on.\n\n\n\n\n[Other Info]\n\nThis is a recurring effort. For reference, here are previous DPDK SRU backports:\n\n* LP: #1784816\n* LP: #1817675\n* LP: #1836365\n* LP: #1912464\n* LP: #1940913\n* LP: #2002404\n* LP: #2026351 for mantic\n* LP: #2067480 for oracular\n* \n", "date_last_updated": "Fri Aug 29 05:11:37 2025", "title": "Backport of dpdk from questing", "source_package_name": "dpdk", "potential_assignee": "", "assignee": "paelzer", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.09", "status": "done", "importance": "Wishlist", "date_created": "Thu Jun 5 07:29:59 2025", "date_assigned": "Thu Aug 28 08:08:33 2025", "date_fix_released": "Fri Aug 29 05:11:34 2025", "date_data_refreshed": "Mon Apr 6 15:32:35 2026" }, { "id": "2112526", "description": "This bug tracks an update for the HAProxy package in the following Ubuntu\nreleases to the versions below:\n\n* plucky (25.04): HAProxy 3.0.10 (See entries from 3.0.9 to 3.0.10).\n* noble (24.04): HAProxy 2.8.15 (See entries from 2.8.6 to 2.8.15).\n* jammy (22.04): HAProxy 2.4.29 (See entries from 2.4.15 to 2.4.29).\n\nThese updates include bugfixes only following the SRU policy exception defined\nat https://documentation.ubuntu.com/sru/en/latest/reference/exception-HAProxy-Updates\n\nDISCLAIMER: For these updates, we are not upgrading to the latest patch version possible. Instead, we are sticking to the versions which include the fixes up to the version we currently ship in questing to avoid upgrade path regressions.\n\n[Upstream changes]\n\nHAProxy 3.0.10: https://www.haproxy.org/download/3.0/src/CHANGELOG\nHAProxy 2.8.15: https://www.haproxy.org/download/2.8/src/CHANGELOG\nHAProxy 2.4.29: https://www.haproxy.org/download/2.4/src/CHANGELOG\n\nImportant bug fixes include:\n\n* noble (24.04) - HAProxy 2.8.15:\n - BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions\n - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()\n - BUG/MAJOR: server: fix stream crash due to deleted server\n - BUG/MAJOR: promex: fix crash on deleted server\n - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe\n - BUG/MAJOR: server: do not delete srv referenced by session\n - BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state\n - BUG/MAJOR: quic: reject too large CRYPTO frames\n - BUG/MAJOR: ocsp: Separate refcount per instance and per store\n - BUG/MAJOR: quic: fix wrong packet building due to already acked frames\n\n* jammy (22.04) - HAProxy 2.4.29:\n - BUG/MAJOR: server: do not delete srv referenced by session\n - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()\n - BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers\n - BUG/MAJOR: mux-pt: Always destroy the backend connection on detach\n - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe\n\n[Test Plan]\n\nSince the upstream CI piplines do not run (publicly) for HAProxy 2.4, 2.8, and 3.0, we triggered those using the upstream project github workflows:\n\nHAproxy 2.4.29 (jammy): https://github.com/athos-ribeiro/haproxy-2.4/actions\nHAproxy 2.8.15 (noble): https://github.com/athos-ribeiro/haproxy-2.8/actions\nHAproxy 3.0.10 (plucky): https://github.com/athos-ribeiro/haproxy-3.0/actions\n\nThe windows related workflows are failing, but this should not be relevant here. For 2.4 and 2.8, the macOS tests in the vtest workflow are also failing. These should not be relevant here either.\n\nThere is an error in the spec compliance run for the 2.4 actions. However, we can see in the actions matrix that upstream did add a \"-Wno-deprecated-declarations\" when openssl3 is being used for the other test runs (it seems it is just missing for this run). I patched the github actions workflow to add the missing flag and the test passes, as one can see in the 2.4 github repository above.\n\nThe vtest workflow was failing for 2.8 and 3.0. The workflow is configure to run on ubuntu-latest and depend on libpcre2. I replaced the dependency to libpcre3 and the tests pass.\n\nSome of the spelling checks are also failing, which should not be relevant here.\n\nA test build set is available at https://launchpad.net/~athos/+archive/ubuntu/haproxy/+packages. We ran the haproxy DEP8 test suite for the packages built in that PPA. Here are the results:\n\n* Results:\n  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [amd64]\n    + ✅ haproxy on jammy for amd64 @ 11.10.25 01:21:25 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [arm64]\n    + ✅ haproxy on jammy for arm64 @ 11.10.25 01:21:38 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [armhf]\n    + ✅ haproxy on jammy for armhf @ 11.10.25 01:24:48 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [i386]\n  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [ppc64el]\n    + ✅ haproxy on jammy for ppc64el @ 11.10.25 01:21:58 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.29-0ubuntu0.22.04.1~ppa1 [s390x]\n    + ✅ haproxy on jammy for s390x @ 11.10.25 01:20:56 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [amd64]\n    + ✅ haproxy on noble for amd64 @ 11.10.25 01:20:32 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [arm64]\n    + ✅ haproxy on noble for arm64 @ 11.10.25 01:21:27 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [armhf]\n    + ✅ haproxy on noble for armhf @ 11.10.25 01:23:59 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [i386]\n  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [ppc64el]\n    + ✅ haproxy on noble for ppc64el @ 11.10.25 01:21:23 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.15-0ubuntu0.24.04.1~ppa1 [s390x]\n    + ✅ haproxy on noble for s390x @ 11.10.25 01:20:38 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [amd64]\n    + ✅ haproxy on plucky for amd64 @ 11.10.25 01:20:26 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [arm64]\n    + ✅ haproxy on plucky for arm64 @ 11.10.25 01:22:09 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [armhf]\n    + ✅ haproxy on plucky for armhf @ 11.10.25 01:23:55 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [i386]\n  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [ppc64el]\n    + ✅ haproxy on plucky for ppc64el @ 11.10.25 01:21:43 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.10-0ubuntu0.25.04.1~ppa1 [s390x]\n    + ✅ haproxy on plucky for s390x @ 11.10.25 01:20:36 Log️ 🗒️\n\n[Regression Potential]\n\nHAProxy itself does not have many reverse dependencies, however, any upgrade is\na risk to introduce some breakage to other packages. Whenever a test failure is\ndetected, we will be on top of it and make sure it doesn't affect existing\nusers.\n\n[Regression Potential - Changes Analysis (CA)]\n\nThere is a significant number of low regression risk (as per upstream classification) functional changes.\n\nMoreover, some (fewer) bug fixes have a possible medium regression risk (again, as per upstream classification).\n\nThe functional changes mentioned above were included because they are, in majority, needed by other entries which are bug fixes, i.e., these are functional changes needed to fix specific bugs.\n\n[Regression Potential - CA - Upstream changes classification criteria]\n\nhttps://github.com/haproxy/haproxy/blob/master/CONTRIBUTING#L632\ndescribes the upstream guidelines for tagging the entries in the upstream changelog based\non their purpose, importance, severity, etc.\n\nBelow, I summarize the relevant bits of such guidelines.\n\nPatches \"fixing a bug must have the 'BUG' tag\", e.g., \"BUG/MAJOR: description\"\n\n\"When the patch cannot be categorized, [...] only use a risk or complexity\ninformation [...]. This is commonly the case for new features\". For\ninstance, \"MINOR: description\"\n\nFor MINOR tags, the patch \"is safe enough to be backported to stable\nbranches\".\n\nPatches tagged MEDIUM \"may cause unexpected regressions of low importance\n[...], the patch is safe but touches working areas\".\n\nPatches tagged MAJOR carry a \"major risk of hidden regression\". No changes are tagged MAJOR without a bug classifier, i.e., all of the patches classified as MAJOR are BUG/MAJOR and will be discussed below.\n\nThere is also a CRITICAL tag but no changes are tagged with it in the new\ncandidate versions.\n\n[Regression Potential - CA - Impact]\n\nFor the next Jammy update, we would upgrade HAPRoxy from 2.4.14 to 2.4.29. Among\nthe changes, there are 5 bug fixes tagged as BUG/MAJOR and 15 uncategorized changes (potentially functional), where 13 are tagged as MINOR and 2 are tagged as MEDIUM.\n\nFor the next Noble update, we would upgrade HAPRoxy from 2.8.5 to 2.8.15. This has the largest impactful change set for these proposed HAProxy upgrades. Among the changes, there are 12 bug fixes tagged as BUG/MAJOR and 80 uncategorized changes (potentially functional), where 74 are tagged as MINOR and 6 are tagged as MEDIUM.\n\nFor the next Plucky update, we would upgrade HAPRoxy from 3.0.8 to 3.0.10. Among the changes, there are 21 uncategorized changes (potentially functional), where 20 are tagged as MINOR and 1 is tagged as MEDIUM.\n\n[Regression Potential - CA - Assessment]\n\nBelow we discuss the changes with the greater regression potential (and the most relevant uncategorized ones, which may contain functional changes)\n\nAll uncategorized MINOR changes are either adding new internal functions used by other bug fixes, or other internal changes where regressions are not expected. Hence, they will not be discussed.\n\nUnless they are discussed below changes tagged BUG/MAJOR had the MAJOR tag chosen due to the severity of the bugs and not due to the regression potential (and that is why they are not being discussed).\n\nPlucky (25.04): HAProxy 3.0.10:\n\n- MEDIUM: epoll: skip reports of stale file descriptors\n\nThis was an internal change to make the poller stop reporting events for wrong file descriptions.\n\nNoble (24.04): HAProxy 2.8.15:\n\n- BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions\n\nThis was done to mimic the behavior of the OpenSSL socket BIO\n\n- MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection\n\nThis introduces two new configuration keywords\n      tune.h2.be.glitches-threshold\n      tune.h2.fe.glitches-threshold\nto set a glitch threshold to eliminate bad behaving clients. The default value is set to zero, meaning no threshold is set, i.e., there is no change of behavior by default.\n\n- MEDIUM: debug: on panic, make the target thread automatically allocate its buf\n\nThis is an improvement on how threads states are kept upon panic to improve debugging. This is a functional change, but helpful for debugging and only triggered upon panic.\n\n- MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option\n\nFor HTTP/1, accept invalid entries for chuncked Transfer-Encoding values when the accept-invalid-http-response is set. This is done to match the 2.4 behavior (jammy).\n\n- MEDIUM: ssl: initialize the SSL stack explicitly\n\nThe SSL stack will always be fully, explicitly initialized. This was needed to fix issues with FIPS enabled servers.\n\n- MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)\n\nThis sets a default value for fd_hard_limit in case it is not set in the configuration to a reasonable vaule of 1048576. This is done to avoid having the process killed by its watchdog on systems where the limit is too high. The fd_hard_limit configuration has precedence over the new default value. Hence, any issues for special cases where it needs to be larger than the new default value, can be fixed by setting a value for fd_hard_limit.\n\n- MEDIUM: config: prevent communication with privileged ports\n\nIntroduces a new configuration harden.reject_privileged_ports.{tcp|quic}. This is a security feature and the default is to not reject connections from privileged ports to avoid regressions (i.e., maintain the pre-upgrade behavior).\n\nJammy (22.04): HAProxy 2.4.29:\n\n- MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads\n\nThis internal change is needed to fix a bug to properly handle abortonclose when it is set on backend only. This was functional, non-buggy code being touched and thus the MEDIUM tag.\n\n- MEDIUM: ssl: initialize the SSL stack explicitly\n\nThe SSL stack will always be fully, explicitly initialized. This was needed to fix issues with FIPS enabled servers.\n\n[Appendix A - Upstream potentially breaking changes list]\n\nBelow you will find the list of changes I extracted from the full changelogs of\nthe new candidate versions. I filtered the changelogs with the following command:\n\n$ cat $CHANGELOG_FILE | grep -E '^[^ ]|(- )?(MAJOR|CRIT)|- (MINOR|MEDIUM)'\n\nThis selected only the unclassified (not bug fixing) changes and the bug fixing\nchanges classified as BUG/MAJOR or BUG/CRITICAL.\n\nPlucky:\n2025/04/22 : 3.0.10\n    - MINOR: log: support \"raw\" logformat node typecast\n    - MINOR: task: add thread safe notification_new and notification_wake variants\n    - MINOR: fd: add a generation number to file descriptors\n    - MINOR: epoll: permit to mask certain specific events\n    - MEDIUM: epoll: skip reports of stale file descriptors\n    - MINOR: tools: also protect the library name resolution against concurrent accesses\n2025/03/20 : 3.0.9\n    - MINOR: mux-quic: change return value of qcs_attach_sc()\n    - MINOR: startup: adjust alert messages, when capabilities are missed\n    - MINOR: clock: always use atomic ops for global_now_ms\n    - MINOR: tinfo: add a new thread flag to indicate a call from a sig handler\n    - MINOR: freq_ctr: provide non-blocking read functions\n    - MINOR: cfgparse/peers: provide more info when ignoring invalid \"peer\" or \"server\" lines\n    - MINOR: compiler: add a simple macro to concatenate resolved strings\n    - MINOR: compiler: add a new __decl_thread_var() macro to declare local variables\n    - MINOR: tools: resolve main() only once in resolve_sym_name()\n    - MINOR: tools: use only opportunistic symbols resolution\n    - MINOR: tinfo: split the signal handler report flags into 3\n    - MINOR: cli: export cli_io_handler() to ease symbol resolution\n    - MINOR: tools: improve symbol resolution without dl_addr\n    - MINOR: tools: ease the declaration of known symbols in resolve_sym_name()\n    - MINOR: tools: teach resolve_sym_name() a few more common symbols\n\nNoble:\n2025/04/22 : 2.8.15\n    - MINOR: mux-quic: change return value of qcs_attach_sc()\n    - MINOR: clock: always use atomic ops for global_now_ms\n    - MINOR: tinfo: add a new thread flag to indicate a call from a sig handler\n    - MINOR: cfgparse/peers: provide more info when ignoring invalid \"peer\" or \"server\" lines\n    - MINOR: compiler: add a simple macro to concatenate resolved strings\n    - MINOR: compiler: add a new __decl_thread_var() macro to declare local variables\n    - MINOR: tools: resolve main() only once in resolve_sym_name()\n    - MINOR: tools: use only opportunistic symbols resolution\n    - MINOR: cli: export cli_io_handler() to ease symbol resolution\n    - MINOR: tools: improve symbol resolution without dl_addr\n    - MINOR: tools: ease the declaration of known symbols in resolve_sym_name()\n    - MINOR: tools: teach resolve_sym_name() a few more common symbols\n    - MINOR: task: add thread safe notification_new and notification_wake variants\n    - MINOR: tools: also protect the library name resolution against concurrent accesses\n2025/01/29 : 2.8.14\n    - MINOR: debug: make mark_tainted() return the previous value\n    - MINOR: chunk: drop the global thread_dump_buffer\n    - MINOR: debug: split ha_thread_dump() in two parts\n    - MINOR: debug: slightly change the thread_dump_pointer signification\n    - MINOR: debug: make ha_thread_dump_done() take the pointer to be used\n    - MINOR: debug: replace ha_thread_dump() with its two components\n    - MEDIUM: debug: on panic, make the target thread automatically allocate its buf\n    - MINOR: quic: notify connection layer on handshake completion\n    - MINOR: quic: simplify qc_parse_pkt_frms() return path\n    - MINOR: quic: use dynamically allocated frame on parsing\n    - MINOR: quic: extend return value of CRYPTO parsing\n    - MINOR: config: Alert about extra arguments for errorfile and errorloc\n    - BUG/MAJOR: quic: reject too large CRYPTO frames\n    - MINOR: quic: Add a BUG_ON() on quic_tx_packet refcount\n2024/12/12 : 2.8.13\n    - MINOR: mux-h1: Set EOI on SE during demux when both side are in DONE state\n    - MINOR: task: define two new one-shot events for use with WOKEN_OTHER or MSG\n    - MINOR: activity/memprofile: offer a function to unregister stale info\n    - MINOR: quic: convert qc_stream_desc release field to flags\n    - MINOR: quic: implement function to check if STREAM is fully acked\n    - BUG/MAJOR: quic: fix wrong packet building due to already acked frames\n2024/11/08 : 2.8.12\n    - BUG/MAJOR: ocsp: Separate refcount per instance and per store\n    - MEDIUM: h1: Accept invalid T-E values with accept-invalid-http-response option\n    - MINOR: activity/memprofile: always return \"other\" bin on NULL return address\n    - MINOR: pools: export the pools variable\n    - MINOR: cli: remove non-printable characters from 'debug dev fd'\n    - MINOR: stream: Save last evaluated rule on invalid yield\n2024/09/19 : 2.8.11\n    - MINOR: activity: make the memory profiling hash size configurable at build time\n    - MEDIUM: ssl: initialize the SSL stack explicitely\n    - MINOR: queue: add a function to check for TOCTOU after queueing\n    - MEDIUM: init: set default for fd_hard_limit via DEFAULT_MAXFD (take #2)\n    - MINOR: channel: implement ci_insert() function\n    - BUG/MAJOR: mux-h1: Wake SC to perform 0-copy forwarding in CLOSING state\n2024/06/14 : 2.8.10\n    - MINOR: net_helper: Add support for floats/doubles.\n    - MINOR: log: add dup_logsrv() helper function\n    - BUG/MAJOR: quic: Crash with TLS_AES_128_CCM_SHA256 (libressl only)\n    - MEDIUM: config: prevent communication with privileged ports\n    - MINOR: session: rename private conns elements\n    - BUG/MAJOR: server: do not delete srv referenced by session\n    - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe\n2024/04/05 : 2.8.9\n2024/04/05 : 2.8.8\n    - MINOR: mux-h2: add a counter of \"glitches\" on a connection\n    - MINOR: mux-h2: count excess of CONTINUATION frames as a glitch\n    - MINOR: mux-h2: count late reduction of INITIAL_WINDOW_SIZE as a glitch\n    - MINOR: mux-h2: always use h2c_report_glitch()\n    - MEDIUM: mux-h2: allow to set the glitches threshold to kill a connection\n    - MINOR: connection: add a new mux_ctl to report number of connection glitches\n    - MINOR: mux-h2: implement MUX_CTL_GET_GLITCHES\n    - MINOR: connection: add sample fetches to report per-connection glitches\n    - BUG/MAJOR: promex: fix crash on deleted server\n    - MINOR: quic: warn on bind on multiple addresses if no IP_PKTINFO support\n    - BUG/MAJOR: server: fix stream crash due to deleted server\n    - MINOR: hlua: Be able to disable logging from lua\n    - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()\n    - MINOR: hlua: use accessors for stream hlua ctx\n    - MINOR: server: allow cookie for dynamic servers\n    - MINOR: cli: Remove useless loop on commands to find unescaped semi-colon\n2024/02/26 : 2.8.7\n    - BUG/MAJOR: ssl/ocsp: crash with ocsp when old process exit or using ocsp CLI\n2024/02/15 : 2.8.6\n    - MINOR: stats: store the parent proxy in stats ctx (http)\n    - MINOR: h3: check connection error during sending\n    - MINOR: mux-h2: support limiting the total number of H2 streams per connection\n    - MINOR: compiler: add a new DO_NOT_FOLD() macro to prevent code folding\n    - MINOR: debug: make sure calls to ha_crash_now() are never merged\n    - MINOR: debug: make ABORT_NOW() store the caller's line number when using abort\n    - MINOR: debug: make BUG_ON() catch build errors even without DEBUG_STRICT\n    - MINOR: mux-h2/traces: also suggest invalid header upon parsing error\n    - MINOR: mux-h2/traces: explicitly show the error/refused stream states\n    - MINOR: mux-h2/traces: clarify the \"rejected H2 request\" event\n    - MINOR: mux-h2/traces: add a missing trace on connection WU with negative inc\n    - BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions\n    - MINOR: ssl: Use OCSP_CERTID instead of ckch_store in ckch_store_build_certid\n    - MINOR: quic: Stop hardcoding a scale shifting value (CUBIC_BETA_SCALE_FACTOR_SHIFT)\n    - MINOR: quic: extract qc_stream_buf free in a dedicated function\n    - MINOR: h3: add traces for stream sending function\n    - MINOR: quic: Stop using 1024th of a second.\n    - MINOR: quic: Update K CUBIC calculation (RFC 9438)\n    - MINOR: quic: Dynamic packet reordering threshold\n    - MINOR: quic: Add a counter for reordered packets\n    - MINOR: errors: ha_alert() and ha_warning() uses warn_exec_path()\n    - MINOR: ext-check: add an option to preserve environment variables\n\nJammy:\n2025/04/22 : 2.4.29\n    - MINOR: cli: export cli_io_handler() to ease symbol resolution\n2024/11/08 : 2.4.28\n    - MINOR: session: rename private conns elements\n    - BUG/MAJOR: server: do not delete srv referenced by session\n    - MEDIUM: ssl: initialize the SSL stack explicitely\n2024/06/18 : 2.4.27\n    - MINOR: cli: Remove useless loop on commands to find unescaped semi-colon\n    - MINOR: hlua: don't dump empty entries in hlua_traceback()\n    - BUG/MAJOR: connection: fix server used_conns with H2 + reuse safe\n2024/04/05 : 2.4.26\n    - BUG/MAJOR: ssl_sock: Always clear retry flags in read/write functions\n    - MINOR: hlua: Be able to disable logging from lua\n    - BUG/MAJOR: hlua: improper lock usage with hlua_ctx_resume()\n    - MINOR: hlua: use accessors for stream hlua ctx\n2023/12/14 : 2.4.25\n    - MINOR: hlua: add hlua_stream_ctx_prepare helper function\n    - MINOR: buf: Add b_force_xfer() function\n    - BUG/MAJOR: mux-h2: Report a protocol error for any DATA frame before headers\n    - MINOR: pattern: fix pat_{parse,match}_ip() function comments\n    - MINOR: connection: Add a CTL flag to notify mux it should wait for reads again\n    - MEDIUM: mux-h1: Handle MUX_SUBS_RECV flag in h1_ctl() and susbscribe for reads\n    - MINOR: htx: Use a macro for overhead induced by HTX\n    - MINOR: channel: Add functions to get info on buffers and deal with HTX streams\n    - MINOR: stktable: add stktable_deinit function\n\n[Previous updates]\n\n- LP: #2012557\n- LP: #2028418", "date_last_updated": "Fri Nov 14 01:24:21 2025", "title": "Micro release updates for jammy, noble, and plucky", "source_package_name": "haproxy", "potential_assignee": "", "assignee": "athos", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.10", "status": "done", "importance": "Wishlist", "date_created": "Thu Jun 5 07:30:17 2025", "date_assigned": "Tue Aug 19 15:48:21 2025", "date_fix_released": "Fri Nov 14 01:24:20 2025", "date_data_refreshed": "Mon Apr 6 15:32:37 2026" }, { "id": "2112528", "description": "[Impact]\n\n* Without SRUing the newer version users get issues running on more recent hypervisors.\n\n* This is not backporting a single fix, nor an MRE, but backporting the version from a more recent Ubuntu release for platform enablement.\n\n* See https://documentation.ubuntu.com/sru/en/latest/reference/exception-OpenVMTools-Updates for more details\n\n* Upstream release notes for the updated versions:\n- noble has 12.4.5 -\nhttps://github.com/vmware/open-vm-tools/blob/stable-12.5.0/ReleaseNotes.md\n- plucky has has 12.5.0 -\nhttps://github.com/vmware/open-vm-tools/blob/stable-12.5.2/ReleaseNotes.md\nhttps://github.com/vmware/open-vm-tools/blob/stable-13.0.0/ReleaseNotes.md\n\n[Test Plan]\n\nSee https://documentation.ubuntu.com/sru/en/latest/reference/exception-OpenVMTools-Updates/#verification\n\n* VMWare QA Team does the qualification of these uploads as we don't have\n   a matrix of Host versions for that around. Once made available in -proposed\n   and passing build time tests the Server team will reach out to VMware to to\n   run their verification harness against the new build and confirming that\n   with a statement on the bug.\n\n* As an additional safety net we want to keep this in -proposed longer\n   than usual, suggesting >=14 days.\n\nThe package builds are in https://launchpad.net/~rr/+archive/ubuntu/backport-open-vm-tools-lp2112528\n\nResults of PPA autopkgtest runs are good:\n\n  - open-vm-tools/2:13.0.0-2~ubuntu0.25.04.1~ppa1\n    + ✅ open-vm-tools on plucky for amd64 @ 25.08.25 11:56:11\n      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-plucky-rr-backport-open-vm-tools-lp2112528/plucky/amd64/o/open-vm-tools/20250825_115611_cb5ef@/log.gz\n    + ✅ open-vm-tools on plucky for arm64 @ 25.08.25 12:00:47\n      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-plucky-rr-backport-open-vm-tools-lp2112528/plucky/arm64/o/open-vm-tools/20250825_120047_f8630@/log.gz\n\n  - open-vm-tools/2:13.0.0-2~ubuntu0.24.04.1~ppa1\n    + ✅ open-vm-tools on noble for amd64 @ 25.08.25 11:57:04\n      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-rr-backport-open-vm-tools-lp2112528/noble/amd64/o/open-vm-tools/20250825_115704_75271@/log.gz\n    + ✅ open-vm-tools on noble for arm64 @ 25.08.25 11:59:35\n      • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-rr-backport-open-vm-tools-lp2112528/noble/arm64/o/open-vm-tools/20250825_115935_3e5c2@/log.gz\n\n[ Where problems could occur ]\n\n* It is a full new version which might contain new issues, but also\n   new fixes and we've had cases where this brought CVE coverage before\n   we needed backports for those. Still, worst you'd expect all that you\n   expect on a release-upgrade like deprecated features gone, handling\n   configuration differently or in general behaving differently by adding\n   (even wanted) new features.\n   Gladly the toolset has proven to be very stable at all that.\n\n[Other Info]\n\n* Mostly regressions seen on those backports would be the same as seen on\n   an upgrade to a new Ubuntu version with the new version of open-vm-tools.\n   Hence, unless other reasons like a former delay or an urgent need\n   cause a change, we try to do this early in the Ubuntu cycle backporting\n   the version released just recently.\n   For example the version that will go out with 24.10 is expected to be\n   proposed for 24.04 shortly, but after 24.10 is released so that we'd have\n   a chance to pick those regression reports up.\n\n* This is a recurring effort. For reference, previous previous Open VM Tools SRU backports (mind the gap, but the latest ones are recent enough):\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1998558\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1975767\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1933143\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1741390\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1784638\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1813944\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1822204\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1844834\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1868012\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1877672\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1892266\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1911831\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/2028420\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/2073317", "date_last_updated": "Wed Sep 3 19:15:39 2025", "title": "Backport open-vm-tools version 2:13.0.0-1 to plucky, noble", "source_package_name": "open-vm-tools", "potential_assignee": "", "assignee": "rr", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.08", "status": "no-merge-needed", "importance": "Wishlist", "date_created": "Thu Jun 5 07:30:50 2025", "date_assigned": "Wed Aug 13 18:36:19 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:38 2026" }, { "id": "2112529", "description": "[Impact]\n\nThis bug tracks an update for the OpenVPN package, moving to versions:\n\n* \n\nSee https://wiki.ubuntu.com/OpenVPNUpdates\n\nThese updates are a best effort to only include bug fixes, following the\nSRU policy exception defined at https://wiki.ubuntu.com/OpenVPNUpdates.\n\nNote that openvpn does not have an accepted micro-release\nexception. However, the SRU team has agreed to consider further releases\ngiven a full knowledge and possible mitigation of backwards-incompatible\nchanges. See\nhttps://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html\n\n\n[Major Changes]\n\n* \n - \n - \n\n\n[Test Plan]\n\nSee https://wiki.ubuntu.com/OpenVPNUpdates#QA\n\nDEP-8 Tests:\nserver-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority\nserver-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication\n\n\n\n\n\n[Regression Potential]\n\nUpstream has an extensive build and integration test suite. So\nregressions would likely arise from a change in interaction with\nUbuntu-specific integrations.\n\n\n\n[Other Info]\n\nThis is a recurring effort. For reference, here are previous OpenVPN SRU backports:\n\n* \n", "date_last_updated": "Tue Sep 2 15:45:34 2025", "title": "Backport of openvpn from questing", "source_package_name": "openvpn", "potential_assignee": "", "assignee": "ankushpathak", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.08", "status": "", "importance": "Wishlist", "date_created": "Thu Jun 5 07:31:09 2025", "date_assigned": "Thu Jun 5 17:20:27 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:40 2026" }, { "id": "2112531", "description": "[Impact]\n\n * MRE for latest stable fixes of Postgres 14, 16, and 17 released in August 2025.\n\n[Test Case]\n\n * The Postgres MREs traditionally rely on the large set of autopkgtests\n   to run for verification. In a PPA, those are all already pre-checked to\n   be good for this upload.\n\n[Regression Potential]\n\n * Upstream tests are usually great and in addition in the Archive there\n   are plenty of autopkgtests that in the past caught issues before being\n   released.\n   But nevertheless there always is a risk for something to break. Since\n   these are general stable releases I can't pinpoint them to a most-likely area.\n   - usually this works smoothly except a few test hiccups (flaky) that need to be clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)\n\n[Other Info]\n\n * This is a reoccurring MRE, see below and all the references\n * CVEs addressed by this MRE:\n  - CVE-2025-8713\n  - CVE-2025-8714\n  - CVE-2025-8715\n\nCurrent versions in supported releases that got updates:\n\n postgresql-14 | 14.18-0ubuntu0.22.04.1 | jammy-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.9-0ubuntu0.24.04.1 | noble-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-17 | 17.5-0ubuntu0.25.04.1 | plucky-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n\nSpecial cases:\n- Since there are 3 CVEs being fixed here, we will push these MREs through the security pocket.\n- questing alrady sync'd 17.6 with from Debian, which contains those fixes as well.\n\nStanding MRE - Consider last updates as template:\n\n- https://pad.lv/1637236\n- https://pad.lv/1664478\n- https://pad.lv/1690730\n- https://pad.lv/1713979\n- https://pad.lv/1730661\n- https://pad.lv/1747676\n- https://pad.lv/1752271\n- https://pad.lv/1786938\n- https://pad.lv/1815665\n- https://pad.lv/1828012\n- https://pad.lv/1833211\n- https://pad.lv/1839058\n- https://pad.lv/1863108\n- https://pad.lv/1892335\n- https://pad.lv/1915254\n- https://pad.lv/1928773\n- https://pad.lv/1939396\n- https://pad.lv/1950268\n- https://pad.lv/1961127\n- https://pad.lv/1973627\n- https://pad.lv/1978249\n- https://pad.lv/1984012\n- https://pad.lv/1996770\n- https://pad.lv/2006406\n- https://pad.lv/2019214\n- https://pad.lv/2028426\n- https://pad.lv/2040469\n- https://pad.lv/2067388\n- https://pad.lv/2076183\n- https://pad.lv/2085196\n- https://pad.lv/2099900\n- https://pad.lv/2110377\n\nAs usual we test and prep from the PPA and then push through SRU/Security as applicable.\n\nOnce ready, the test packages should be available at https://launchpad.net/~canonical-server/+archive/ubuntu/postgresql-sru-preparation/+packages", "date_last_updated": "Mon Sep 8 15:18:36 2025", "title": "New PostgreSQL upstream microreleases 14.19, 16.10, and 17.6", "source_package_name": "postgresql-17", "potential_assignee": "", "assignee": "athos", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.08", "status": "done", "importance": "Undecided", "date_created": "Thu Aug 21 13:39:15 2025", "date_assigned": "Thu Aug 21 13:41:39 2025", "date_fix_released": "Mon Sep 1 18:39:28 2025", "date_data_refreshed": "Mon Apr 6 15:38:08 2026" }, { "id": "2112532", "description": "[Impact]\n\nThis bug tracks the following MRE updates for the Squid package:\n\n* \n\nSee \n\nThese updates are a best effort to only include bug fixes, following the\nSRU policy exception defined at https://wiki.ubuntu.com/SquidUpdates.\n\n\n[Major Changes]\n\n* \n - \n - \n\n\n[Test Plan]\n\nSee https://wiki.ubuntu.com/SquidUpdates#QA\n\nLink the build log containing all tests being executed:\n\n\n\n(Other builds visible at )\n\nAll tests are passing during build time, as shown in the build log\n(builds would fail otherwise, see LP: #2004050).\n\nResults of local autopkgtest run against all the new Squid versions\nbeing uploaded here:\n\n\n\nRan with ppa-dev-tools for build in \n\n\n[Regression Potential]\n\nUpstream tests are extensive and always executed during\nbuild-time. Failures would prevent builds from succeeding.\n\nSquid does not have many reverse dependencies. However, any upgrade is a\nrisk to introduce breakage to other packages. Whenever a regression\noccurs in autopkgtests, we will investigate and provide fixes.\n\n\n[Other Info]\n\nThis is a recurring effort. For reference, previous previous Squid SRU backports:\n\n* LP: #2013423 5.7 for Jammy\n* LP: #2040470 5.9 for Jammy\n* LP: #2073322 6.10 for Noble\n* \n\n", "date_last_updated": "Tue Sep 9 14:17:20 2025", "title": "Backport of squid from questing", "source_package_name": "squid", "potential_assignee": "", "assignee": "rr", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.09", "status": "no-merge-needed", "importance": "Wishlist", "date_created": "Thu Jun 5 07:32:23 2025", "date_assigned": "Tue Aug 19 15:39:08 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:32:47 2026" }, { "id": "2122116", "description": "[Impact]\n\n* Without SRUing the newer version users get issues running on more recent hypervisors.\n\n* This is not backporting a single fix, nor an MRE, but backporting the version from a more recent Ubuntu release for platform enablement.\n\n* See https://documentation.ubuntu.com/sru/en/latest/reference/exception-OpenVMTools-Updates for more details\n\n* Upstream release notes for the updated versions:\n- noble has 12.4.5 -\nhttps://github.com/vmware/open-vm-tools/blob/stable-12.5.0/ReleaseNotes.md\n\n[Test Plan]\n\nSee https://documentation.ubuntu.com/sru/en/latest/reference/exception-OpenVMTools-Updates/#verification\n\n* VMWare QA Team does the qualification of these uploads as we don't have\n   a matrix of Host versions for that around. Once made available in -proposed\n   and passing build time tests the Server team will reach out to VMware to to\n   run their verification harness against the new build and confirming that\n   with a statement on the bug.\n\n* As an additional safety net we want to keep this in -proposed longer\n   than usual, suggesting >=14 days.\n\nThe package builds are in https://launchpad.net/~rr/+archive/ubuntu/backport-open-vm-tools-lp2122116\n\nResults of PPA autopkgtest runs are good:\n* Results:\n - open-vm-tools/2:12.5.0-1~ubuntu0.24.04.1~ppa1\n + ✅ open-vm-tools on noble for amd64 @ 05.09.25 13:55:28\n • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-rr-backport-open-vm-tools-lp2122116/noble/amd64/o/open-vm-tools/20250905_135528_496cf@/log.gz\n + ✅ open-vm-tools on noble for arm64 @ 05.09.25 13:58:11\n • Log: https://autopkgtest.ubuntu.com/results/autopkgtest-noble-rr-backport-open-vm-tools-lp2122116/noble/arm64/o/open-vm-tools/20250905_135811_e036b@/log.gz\n\n[ Where problems could occur ]\n\n* It is a full new version which might contain new issues, but also\n   new fixes and we've had cases where this brought CVE coverage before\n   we needed backports for those. Still, worst you'd expect all that you\n   expect on a release-upgrade like deprecated features gone, handling\n   configuration differently or in general behaving differently by adding\n   (even wanted) new features.\n   Gladly the toolset has proven to be very stable at all that.\n\n[Other Info]\n\n* Mostly regressions seen on those backports would be the same as seen on\n   an upgrade to a new Ubuntu version with the new version of open-vm-tools.\n   Hence, unless other reasons like a former delay or an urgent need\n   cause a change, we try to do this early in the Ubuntu cycle backporting\n   the version released just recently.\n   For example the version that will go out with 24.10 is expected to be\n   proposed for 24.04 shortly, but after 24.10 is released so that we'd have\n   a chance to pick those regression reports up.\n\n* This is a recurring effort. For reference, previous previous Open VM Tools SRU backports (mind the gap, but the latest ones are recent enough):\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1998558\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1975767\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1933143\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1741390\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1784638\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1813944\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1822204\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1844834\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1868012\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1877672\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1892266\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/1911831\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/2028420\n   - https://bugs.launchpad.net/ubuntu/+source/open-vm-tools/+bug/2073317", "date_last_updated": "Fri Sep 26 02:40:43 2025", "title": "Backport open-vm-tools version 2:12.5.0-1 to noble", "source_package_name": "open-vm-tools", "potential_assignee": "", "assignee": "rr", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.09", "status": "done", "importance": "Wishlist", "date_created": "Fri Sep 5 12:16:44 2025", "date_assigned": "Fri Sep 5 12:17:55 2025", "date_fix_released": "Fri Sep 26 02:40:41 2025", "date_data_refreshed": "Mon Apr 6 15:32:49 2026" }, { "id": "2126464", "description": "This bug tracks an update for the bind9 package, moving to versions:\n\n* Questing (25.10): Bind9 9.20.18\n* Noble (24.04): Bind9 9.18.44\n* Jammy (22.04): Bind9 9.18.44\n\nThese updates include bug fixes following the SRU policy exception defined at https://documentation.ubuntu.com/sru/en/latest/reference/exception-Bind9-Updates\n\n[Upstream changes]\n\n9.20.12-9.20.18\n\nUpdates:\n\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11358 - Add more information to the rndc recursing output about fetches.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11304 - Provide more information when the memory allocation fails.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11258 - Reduce the number of outgoing queries when resolving the nameservers for delegation points.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5574 - Use exit code 1 when providing illegal options to dnssec-verify.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5486 - Add dnssec-policy keys configuration check to named-checkconf.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5483 - Rndc sign during ZSK rollover will now replace signatures.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4606 - Add manual mode configuration option to dnsec-policy.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5222 - Add a new 'servfail-until-ready' configuration option for RPZ.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for parsing HHIT and BRID records.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the \"tkey-gssapi-credential\" statement.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Obsolete the \"tkey-domain\" statement.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5440 - Add support for parsing the DSYNC record\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10738 - Add deprecation warnings for RSASHA1, RSASHA1-NSEC3SHA1 and DS digest type 1.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5342 - Add RPZ extended DNS error for zones with a CNAME override policy configured.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5388 - Log dropped or slipped responses in the query-errors category.\n\nBug Fixes:\n\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5458 - Make key rollovers more robust.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5658 - Fix a catalog zones issue when a member zone could fail to load.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in delegations with QTYPE=ANY.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone from NSEC3 reconfiguration.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5672 - Fix slow speed of NSEC3 optout large delegation zone signing.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3 opt-out records left in zone.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11386 - Fix a possible catalog zone issue during reconfiguration.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11364 - Fix the charts in the statistics channel.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3033 - Fix the spurious timeouts while resolving names.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5527 - Fix bug where zone switches from NSEC3 to NSEC after retransfer.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5620 - Attach socket before async streamdns_resume_processing.\n* https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type 0 presentation format handling.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5646 - Fix parsing bug in remote-servers with key or tls.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5653 - Fix TLS contexts cache object usage bug in the resolver.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3 opt-out records left in zone.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5506 - Fix dnssec-keygen key collision checking for KEY rrtype keys.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5525 - Fix shutdown INSIST in dns_dispatchmgr_getblackhole.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5609 - Prevent assertion failures of dig when server is specified before the -b option.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported algorithms when looking for signing key.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11192 - Skip buffer allocations if not logging.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5165 - Use signer name when disabling DNSSEC algorithms.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC information when CD bit is set in query.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5523 - Preserve cache when reload fails and reload the server again.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11032 - Check plugin config before registering.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5226 - Ensure file descriptors 0-2 are in use.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious SERVFAILs for certain 0-TTL resource records.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5467 - Use DNS_RDATACOMMON_INIT to hide branch differences.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical warning displaying zone entry incorrectly.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5494 - Fix a catalog zone issue when having an unset 'default-primaries' configuration clause.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5243 - Fix stale RRsets in a CNAME chain were not always being refreshed.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5357 - Fix a possible crash when adding a zone while recursing.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5381 - Fix issue with dig failing to shutdown when interrupted, and unexpected termination when +keepopen used.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5422 - Fix scenarios where synth-from-dnssec was not working.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10707 - Clean enough memory when adding new ADB names/entries under memory pressure.\nhttps://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10815 - Prevent spurious validation failures.\n\nCVE Fixes - already available as patch:\n\nCVE-2025-13878 - Fix incorrect length checks for BRID and HHIT records.\nCVE-2025-8677 - Fix DNSSEC validation failing if matching but invalid DNSKEY is found.\nCVE-2025-40778 - Address various spoofing attacks.\nCVE-2025-40780 - Avoid cache-poisoning due to weak pseudo-random number generator.\n\n9.18.40-9.18.44\n\nUpdates:\n\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5444 - Add support for parsing HHIT and BRID records.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the \"tkey-domain\" statement.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4204 - Deprecate the \"tkey-gssapi-credential\" statement.\n\nBug Fixes:\n\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5659 - Allow glue in delegations with QTYPE=ANY.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5679 - Fix invalid zone from NSEC3 reconfiguration.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5671 - Fix invalid NSEC3 opt-out records left in zone.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5622 - Skip unsupported algorithms when looking for signing key.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5294 - Prevent spurious SERVFAILs for certain 0-TTL resource records.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5491 - Fix RPZ canonical warning displaying zone entry incorrectly.\nhttps://gitlab.isc.org/isc-projects/bind9/-/issues/5502 - Add missing DNSSEC information when CD bit is set in query.\n* https://gitlab.isc.org/isc-projects/bind9/-/issues/5639 - Fix AMTRELAY type 0 presentation format handling.\n\nCVE Fixes - already available as patch:\n\nCVE-2025-13878 - Fix incorrect length checks for BRID and HHIT records.\nCVE-2025-8677 - Fix DNSSEC validation failing if matching but invalid DNSKEY is found.\nCVE-2025-40778 - Address various spoofing attacks.\nCVE-2025-40780 - Avoid cache-poisoning due to weak pseudo-random number generator.\n\nBackwards-incompatible changes:\n\n* Going through upstream changes on a commit-by-commit basis alongside the release notes, I found one commit which may include backward-incompatible changes for some users - https://gitlab.isc.org/isc-projects/bind9/-/commit/adf104a06339f101d295c1c7980725be5af73dfa\nIt includes the following note - \"Instances of this record will need the placeholder period added to them when upgrading.\"\n\n[Test Plan]\n\nDEP-8 Tests:\n\nsimpletest - Confirms bind9 daemon starts successfully and dig can find 127.0.0.1 through the default setup of bind9\n\nzonetest - Added in this update, currently in lunar. Confirms the functionality of named and bind9 by creating a local DNS zone and domain, and having dig look it up\n\ndyndb-ldap (noble and earlier) - Verifies functionality of bind-dyndb-ldap against the updated bind9 package with a basic setup. This also fails intentionally prior to bind-dyndb-ldap being rebuilt against the package, as this is a necessary step for bind9 updates.\n\nvalidation - This test is provided by Debian and consistently fails both before and after the update due to several issues. It is marked as flaky, and does not block autopkgtest passing overall\n[Regression Potential]\n\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.\n\n[Other Info]\n\nPrevious backports:\n\n(LP: #2003586)\n(LP: #2028413)\n(LP: #2040459)\n(LP: #2073310)\n(LP: #2112520)\n\nFor noble and jammy, bind-dyndb-ldap must also be rebuilt to match the new version. This time it has a conflicting macro called CHECK which will be renamed in a patch to the bind-dyndb-ldap package.", "date_last_updated": "Fri Apr 3 14:20:14 2026", "title": "Backport of bind9 for questing, noble, and jammy", "source_package_name": "bind-dyndb-ldap", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.04", "status": "started", "importance": "Undecided", "date_created": "Wed Apr 1 19:51:16 2026", "date_assigned": "Wed Apr 1 19:51:55 2026", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:38:27 2026" }, { "id": "2127122", "description": "[Impact]\n\nVarious bugs exist in the current Ubuntu version of Valkey in Noble, Plucky, and Questing/Resolute including CVEs:\n\n(CVE-2025-49844) A Lua script may lead to remote code execution\n(CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE\n(CVE-2025-46818) A Lua script can be executed in the context of another user\n(CVE-2025-46819) LUA out-of-bound read\n(CVE-2025-27151) Check length of AOF file name in valkey-check-aof and reject paths longer than PATH_MAX (8.0.4)\n\n\nThe other bugs listed upstream are:\n\n8.1.3-8.1.4 -\n\nhttps://github.com/valkey-io/valkey/pull/2614\nhttps://github.com/valkey-io/valkey/pull/2229\nhttps://github.com/valkey-io/valkey/pull/2257\nhttps://github.com/valkey-io/valkey/pull/2290\nhttps://github.com/valkey-io/valkey/pull/2288\nhttps://github.com/valkey-io/valkey/pull/2353\nhttps://github.com/valkey-io/valkey/pull/2347\nhttps://github.com/valkey-io/valkey/pull/2174\nhttps://github.com/valkey-io/valkey/pull/2360\nhttps://github.com/valkey-io/valkey/pull/2466\nhttps://github.com/valkey-io/valkey/pull/2571\nhttps://github.com/valkey-io/valkey/pull/2656\n\n8.0.4-8.0.6 -\nhttps://github.com/valkey-io/valkey/pull/2616\nhttps://github.com/valkey-io/valkey/pull/2658\nhttps://github.com/valkey-io/valkey/pull/2101\nhttps://github.com/valkey-io/valkey/pull/2109\nhttps://github.com/valkey-io/valkey/pull/2137\nhttps://github.com/valkey-io/valkey/pull/2132\nhttps://github.com/valkey-io/valkey/pull/2117\nhttps://github.com/valkey-io/valkey/pull/2140\nhttps://github.com/valkey-io/valkey/pull/2144\nhttps://github.com/valkey-io/valkey/pull/2178\nhttps://github.com/valkey-io/valkey/pull/2186\nhttps://github.com/valkey-io/valkey/pull/2229\nhttps://github.com/valkey-io/valkey/pull/2360\nhttps://github.com/valkey-io/valkey/pull/2174\nhttps://github.com/valkey-io/valkey/pull/2466\n\nalong with behavior changes:\n\nhttps://github.com/valkey-io/valkey/pull/1067\nhttps://github.com/valkey-io/valkey/pull/1274\n\nand improvements:\n\nhttps://github.com/valkey-io/valkey/pull/1252\nhttps://github.com/valkey-io/valkey/pull/1341\n\n\n7.2.10-7.2.11 -\nhttps://github.com/valkey-io/valkey/pull/2229\nhttps://github.com/valkey-io/valkey/pull/2360\n\n\n\nThese fixes should be added to the stable release to avoid known security vulnerabilities and issues.\n\nIdeally, these fixes should be added by updating to 7.2.11, the latest stable release of 7.x, 8.0.6 as the latest of 8.0.x, and 8.1.4 as the latest of 8.1.x. Upstream takes care to avoid backwards incompatible changes in this stable release set and matching their version would best match user expectations.\n\n[Test Plan]\n\nInitial testing should include making sure dep-8 tests all pass. This package includes a large suite of tests that check various runtime configurations and redis compatibility.\n\n[Where problems could occur]\n\nAs this is a full version backport, backwards-incompatible changes may arise from the various changes included. I am mitigating this by checking each individual commit and am noting any minor updates in the changelog entry.\n\n[Other Info]\n\nNoble will differ from Plucky as they will remain on the 7.2.x version track while Plucky is on 8.x. Both differ from Questing and Resolute which are on 8.1.x (though Resolute will be upgraded to 9.0.x this cycle).\n\nAlso this release should be sent to both -updates and -security afterward to provide all relevant users with the fixes\n\nPrevious Backports:\n(LP: #2097546)\n(LP: #2091129)\n(LP: #2115258)", "date_last_updated": "Wed Nov 12 20:38:27 2025", "title": "Update Valkey to 7.2.11 in noble, 8.0.6 in plucky, and 8.1.4 in questing + resolute", "source_package_name": "valkey", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.11", "status": "done", "importance": "Critical", "date_created": "Wed Oct 8 20:17:18 2025", "date_assigned": "Wed Oct 8 20:17:38 2025", "date_fix_released": "Fri Oct 17 14:08:48 2025", "date_data_refreshed": "Mon Apr 6 15:31:56 2026" }, { "id": "2127658", "description": "This bug tracks an update for the OpenVPN package, moving to versions:\n\n* Questing (25.10): OpenVPN 2.6.19\n* Noble (24.04): OpenVPN 2.6.19\n* Jammy (22.04) is already at the latest version of 2.5.x\n\nThis update includes bugfixes following the SRU policy exception defined at https://documentation.ubuntu.com/project/SRU/reference/exception-OpenVPN-Updates/. Note that OpenVPN does not have an accepted exception. However, the SRU team has agreed to consider further releases given a full knowledge and possible mitigation of backwards-incompatible changes. See https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html\n\n[Upstream Changes]\n\n2.6.15-2.6.19\n\nUpdates:\n\nDisable DCO if --bind-dev option is given\n\nBug Fixes:\n\nFix incorrect file descriptor handling in p2mp server on inotify FD during a SIGUSR1 restart.\nFix bug where --management-forget-disconnect and --management-signal could be executed even if password authentication to managment interface was still pending.\nRepair client-side interaction on reconnect between DCO event handling and --persist-tun.\nPrevent crash on invalid server-ipv6 argument.\nFix invalid pointer creation in tls_pre_decrypt().\nProperly check for errors in creation on $auth_failed_reason_file.\nApply close-on-exec option to correct socket for incoming TCP connections.\nFix missing perf_pop() call in ssl_mbedtls.\nApply more checks to incoming TLS handshake packets before creating new state.\nFix broadcast address configuration for broadcast-based applications using ifconfig to get address.\n\nCVE Fix - already available as patch:\n\nCVE-2025-13086: Fix memcmp check for the hmac verification in the 3way handshake.\n\nThe upstream changelog is available at https://community.openvpn.net/ReleaseHistory\n\n[Test Plan]\n\nDEP-8 Tests:\nserver-setup-with-ca - creates and tests an OpenVPN server setup with its own certificate authority\nserver-setup-with-static-key - creates and tests an OpenVPN server setup using a static key for authentication\n\nSee https://documentation.ubuntu.com/project/SRU/reference/exception-OpenVPN-Updates/#qa for additional testing information.\n\n[Regression Potential]\n\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.\n\nBackwards-incompatible changes:\n\nGoing through the commits of all releases after 2.6.14 in 2.6.x, I do not see any backwards-incompatible changes that will cause issues for existing users. They may experience a slowdown when using --bind-dev as upstream has disabled DCO when it is active in 30041d6c40c9c0b6aa5581d4570110cde61cad0e though.\n\n[Other Info]\n\nPrevious backports:\n(LP: #2040467)\n(LP: #2004676)\n(LP: #2073318)", "date_last_updated": "Tue Mar 10 16:23:48 2026", "title": "Backport of openvpn for noble and questing", "source_package_name": "openvpn", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.02", "status": "done", "importance": "Wishlist", "date_created": "Fri Oct 10 20:49:58 2025", "date_assigned": "Fri Oct 10 20:50:46 2025", "date_fix_released": "Tue Mar 10 16:23:46 2026", "date_data_refreshed": "Mon Apr 6 15:33:03 2026" }, { "id": "2127661", "description": "[Impact]\n\nIn order to follow our policy [1,2] on keeping the container stack (docker.io-app, containerd-app, runc-app, docker-buildx, docker-compose-v2, containerd-stable, and runc-stable) up-to-date in our supported releases, let's backport the stack in resolute to questing, noble, and jammy.\n\nSpecial cases:\n- containerd-stable and runc-stable are only present from questing and on. Therefore, these packages will only be backported to questing.\n- runc-app will be upgraded to the newest version of 1.3.y in noble and jammy to to avoid major disruptions as covered by the process described in [1].\n\n[Test Plan]\n\nAs described in [1], our test case is the autopkgtests.\n\nAll packages were built in https://launchpad.net/~athos/+archive/ubuntu/container-stack-rr/+packages.\n\nAll DEP8 tests pass either for all architectures in the PPA, or for amd64 locally.\n\n[Where problems could occur]\n\nAs usual, we deliver most benefit to our users by delivering an upstream experience. A risk of regressions is part of that.\n\n[Past MREs]\n\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2040461\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2040460\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2085187\n- https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2112523\n\n[ References ]\n\n[1] https://documentation.ubuntu.com/sru/en/latest/reference/exception-Docker-Updates/\n[2] https://discourse.ubuntu.com/t/ubuntu-server-gazette-issue-8-containers-steady-paths-for-agile-stacks/68680", "date_last_updated": "Thu Apr 2 11:38:56 2026", "title": "Backport of container-stack for jammy, noble and questing", "source_package_name": "runc-stable", "potential_assignee": "", "assignee": "athos", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.02", "status": "", "importance": "Wishlist", "date_created": "Fri Oct 10 21:11:20 2025", "date_assigned": "Tue Oct 14 15:48:18 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:34:52 2026" }, { "id": "2127662", "description": "[Impact]\n\nThis bug tracks the following MRE updates for the DPDK package:\n\n* \n\nSee https://core.dpdk.org/roadmap/\n\nThese updates are a best effort to only include bug fixes, following the\nSRU policy exception defined at\nhttps://wiki.ubuntu.com/StableReleaseUpdates/DPDK.\n\n\n[Major Changes]\n\n* \n - \n - \n\n\n[Test Plan]\n\nSee https://wiki.ubuntu.com/StableReleaseUpdates/DPDK#SRU_TestVerify\n\n\n\n\n[Regression Potential]\n\nUpstream performs extensive testing before release, giving us a high\ndegree of confidence in the general case. There problems are most likely\nto manifest in Ubuntu-specific integrations, such as in relation to the\nversions of dependencies available and other packaging-specific matters.\nTherefore that is what our verification focuses on.\n\n\n\n\n[Other Info]\n\nThis is a recurring effort. For reference, here are previous DPDK SRU backports:\n\n* LP: #1784816\n* LP: #1817675\n* LP: #1836365\n* LP: #1912464\n* LP: #1940913\n* LP: #2002404\n* LP: #2026351 for mantic\n* LP: #2067480 for oracular\n* \n", "date_last_updated": "Tue Jan 6 07:12:33 2026", "title": "Backport of dpdk for jammy, noble and questing", "source_package_name": "dpdk", "potential_assignee": "", "assignee": "", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.03", "status": "", "importance": "Undecided", "date_created": "Fri Oct 10 21:11:41 2025", "date_assigned": null, "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:38:20 2026" }, { "id": "2127663", "description": "[Impact]\n\nThis bug tracks the following MRE updates for the DPDK package:\n\n* \n\nSee https://core.dpdk.org/roadmap/\n\nThese updates are a best effort to only include bug fixes, following the\nSRU policy exception defined at\nhttps://wiki.ubuntu.com/StableReleaseUpdates/DPDK.\n\n\n[Major Changes]\n\n* \n - \n - \n\n\n[Test Plan]\n\nSee https://wiki.ubuntu.com/StableReleaseUpdates/DPDK#SRU_TestVerify\n\n\n\n\n[Regression Potential]\n\nUpstream performs extensive testing before release, giving us a high\ndegree of confidence in the general case. There problems are most likely\nto manifest in Ubuntu-specific integrations, such as in relation to the\nversions of dependencies available and other packaging-specific matters.\nTherefore that is what our verification focuses on.\n\n\n\n\n[Other Info]\n\nThis is a recurring effort. For reference, here are previous DPDK SRU backports:\n\n* LP: #1784816\n* LP: #1817675\n* LP: #1836365\n* LP: #1912464\n* LP: #1940913\n* LP: #2002404\n* LP: #2026351 for mantic\n* LP: #2067480 for oracular\n* \n", "date_last_updated": "Tue Jan 6 07:09:28 2026", "title": "Merge dpdk for resolute", "source_package_name": "dpdk", "potential_assignee": "", "assignee": "paelzer", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.12", "status": "done", "importance": "Wishlist", "date_created": "Fri Oct 10 21:11:51 2025", "date_assigned": "Tue Nov 18 16:27:35 2025", "date_fix_released": "Tue Jan 6 07:09:27 2026", "date_data_refreshed": "Mon Apr 6 15:35:15 2026" }, { "id": "2127664", "description": "This bug tracks an update for the HAProxy package in the following Ubuntu\nreleases to the versions below:\n\n* questing (25.10): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12).\n* plucky (25.04): HAProxy 3.0.12 (See entries from 3.0.11 to 3.0.12).\n* noble (24.04): HAProxy 2.8.16.\n* jammy (22.04): HAProxy 2.4.30.\n\nThese updates include bugfixes only following the SRU policy exception defined\nat https://documentation.ubuntu.com/sru/en/latest/reference/exception-HAProxy-Updates\n\n[Upstream changes]\n\nHAProxy 3.0.12: https://www.haproxy.org/download/3.0/src/CHANGELOG\nHAProxy 2.8.16: https://www.haproxy.org/download/2.8/src/CHANGELOG\nHAProxy 2.4.30: https://www.haproxy.org/download/2.4/src/CHANGELOG\n\nImportant bug fixes include:\n\n* questing (25.10) and plucky (25.04) - HAProxy 3.0.12:\n  - BUG/MAJOR: quic: fix INITIAL padding with probing packet only\n  - BUG/MAJOR: mux-quic: fix crash on reload during emission\n  - BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval\n  - BUG/MAJOR: stream: Force channel analysis on successful synchronous send\n  - BUG/MAJOR: listeners: transfer connection accounting when switching listeners\n  - BUG/MAJOR: cache: Crash because of wrong cache entry deleted\n\n* noble (24.04) - HAProxy 2.8.16:\n  - BUG/MAJOR: listeners: transfer connection accounting when switching\n\nAlso, all the new releases being introduced here include a CVE fix:\n- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers\nalready inapplied by security\nHowever, this CVE was already introduced in the security pocket by the security team, so we will be just dropping the Ubuntu patch there.\n\n[Test Plan]\n\nSince the upstream CI piplines do not run (publicly) for HAProxy 2.4, 2.8, and 3.0, we triggered those using the upstream project github workflows:\n\nHAproxy 2.4.30 (jammy): https://github.com/athos-ribeiro/haproxy-2.4/actions\nHAproxy 2.8.16 (noble): https://github.com/athos-ribeiro/haproxy-2.8/actions\nHAproxy 3.0.12 (plucky/questing): https://github.com/athos-ribeiro/haproxy-3.0/actions\n\nThe windows related workflows are failing, but this should not be relevant here. For 2.4 and 2.8, the macOS tests in the vtest workflow are also failing. These should not be relevant here either.\n\nA test build set is available at https://launchpad.net/~athos/+archive/ubuntu/haproxy/+packages. We ran the haproxy DEP8 test suite for the packages built in that PPA. Here are the results:\n\n* Results:\n  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [amd64]\n    + ✅ haproxy on jammy for amd64 @ 04.12.25 10:33:02 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [arm64]\n    + ✅ haproxy on jammy for arm64 @ 04.12.25 10:33:56 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [armhf]\n    + ✅ haproxy on jammy for armhf @ 04.12.25 10:36:41 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [ppc64el]\n    + ✅ haproxy on jammy for ppc64el @ 04.12.25 10:51:14 Log️ 🗒️\n  - haproxy: jammy/haproxy/2.4.30-0ubuntu0.22.04.1~ppa1 [s390x]\n    + ✅ haproxy on jammy for s390x @ 04.12.25 11:19:32 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [amd64]\n    + ✅ haproxy on noble for amd64 @ 04.12.25 10:35:07 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [arm64]\n    + ✅ haproxy on noble for arm64 @ 04.12.25 10:44:40 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [armhf]\n    + ✅ haproxy on noble for armhf @ 04.12.25 10:36:22 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [ppc64el]\n    + ✅ haproxy on noble for ppc64el @ 04.12.25 10:35:49 Log️ 🗒️\n  - haproxy: noble/haproxy/2.8.16-0ubuntu0.24.04.1~ppa1 [s390x]\n    + ✅ haproxy on noble for s390x @ 04.12.25 10:32:47 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [amd64]\n    + ✅ haproxy on plucky for amd64 @ 04.12.25 10:34:25 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [arm64]\n    + ✅ haproxy on plucky for arm64 @ 04.12.25 10:33:38 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [armhf]\n    + ✅ haproxy on plucky for armhf @ 04.12.25 10:35:54 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [ppc64el]\n    + ✅ haproxy on plucky for ppc64el @ 04.12.25 10:34:12 Log️ 🗒️\n  - haproxy: plucky/haproxy/3.0.12-0ubuntu0.25.04.1~ppa1 [s390x]\n    + ✅ haproxy on plucky for s390x @ 04.12.25 10:33:14 Log️ 🗒️\n  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [amd64]\n    + ✅ haproxy on questing for amd64 @ 04.12.25 10:43:49 Log️ 🗒️\n  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [arm64]\n    + ✅ haproxy on questing for arm64 @ 04.12.25 10:54:32 Log️ 🗒️\n  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [armhf]\n    + ✅ haproxy on questing for armhf @ 04.12.25 10:35:43 Log️ 🗒️\n  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [ppc64el]\n    + ✅ haproxy on questing for ppc64el @ 04.12.25 10:35:28 Log️ 🗒️\n  - haproxy: questing/haproxy/3.0.12-0ubuntu0.25.10.1~ppa1 [s390x]\n    + ✅ haproxy on questing for s390x @ 04.12.25 10:53:24 Log️ 🗒️\n\n[Regression Potential]\n\nHAProxy itself does not have many reverse dependencies, however, any upgrade is\na risk to introduce some breakage to other packages. Whenever a test failure is\ndetected, we will be on top of it and make sure it doesn't affect existing\nusers.\n\n[Regression Potential - Changes Analysis (CA)]\n\nThere are some low regression risk (as per upstream classification) functional changes.\n\nMoreover, some (fewer) bug fixes have a possible medium regression risk (again, as per upstream classification).\n\nThe functional changes mentioned above were included because they are, in majority, needed by other entries which are bug fixes, i.e., these are functional changes needed to fix specific bugs.\n\n[Regression Potential - CA - Upstream changes classification criteria]\n\nhttps://github.com/haproxy/haproxy/blob/master/CONTRIBUTING#L632\ndescribes the upstream guidelines for tagging the entries in the upstream changelog based\non their purpose, importance, severity, etc.\n\nBelow, I summarize the relevant bits of such guidelines.\n\nPatches \"fixing a bug must have the 'BUG' tag\", e.g., \"BUG/MAJOR: description\"\n\n\"When the patch cannot be categorized, [...] only use a risk or complexity\ninformation [...]. This is commonly the case for new features\". For\ninstance, \"MINOR: description\"\n\nFor MINOR tags, the patch \"is safe enough to be backported to stable\nbranches\".\n\nPatches tagged MEDIUM \"may cause unexpected regressions of low importance\n[...], the patch is safe but touches working areas\".\n\nPatches tagged MAJOR carry a \"major risk of hidden regression\". No changes are tagged MAJOR without a bug classifier, i.e., all of the patches classified as MAJOR are BUG/MAJOR and will be discussed below.\n\nThere is also a CRITICAL tag but no changes are tagged with it in the new\ncandidate versions other than the CVE patch which was already available in the security pocket.\n\n[Regression Potential - CA - Impact]\n\nFor the next Jammy update, we would upgrade HAPRoxy from 2.4.29 to 2.4.30. Since the CVE fix introduced in this new upstream version is already applied in jammy, this new version is only introducing a couple minor bug fixes which should have very little regression impact.\n\nFor the next Noble update, we would upgrade HAPRoxy from 2.8.15 to 2.8.16. Among the changes, there is 1 bug fix tagged as BUG/MAJOR and 8 uncategorized changes (potentially functional), where 7 are tagged as MINOR and 1 is tagged as MEDIUM.\n\nFor the next Plucky and Questing updates, we would upgrade HAPRoxy from 3.0.10 to 3.0.12. Among the changes, there are 6 bug fixes tagged as BUG/MAJOR and 17 uncategorized changes (potentially functional), where 15 are tagged as MINOR and 2 are tagged as MEDIUM.\n\n[Regression Potential - CA - Assessment]\n\nBelow we discuss the changes with the greater regression potential (and the most relevant uncategorized ones, which may contain functional changes)\n\nAll uncategorized MINOR changes are either adding new internal functions used by other bug fixes, or other internal changes where regressions are not expected. Hence, they will not be discussed.\n\nUnless they are discussed below changes tagged BUG/MAJOR had the MAJOR tag chosen due to the severity of the bugs and not due to the regression potential (and that is why they are not being discussed).\n\nPlucky (25.04) and Questing (25.10): HAProxy 3.0.12:\n\n- MEDIUM: ssl/cli: relax crt insertion in crt-list of type directory Since\n\nSince the name stored in a certificate tree can be an alias and not a path,\nrequiring full paths in the certificate name when when adding it through a CLI\nwas a bug. This is now fixed. It also means that The tool or user inserting the\ncertificate must now check itself that the certificate was placed at the right\nspot on the filesystem.\n\n- BUG/MAJOR: stream: Remove READ/WRITE events on channels after analysers eval\n\nA couple flags are being removed after evaluation. Although this is supposed\nto be a safe/internal only change, It is tagged a MAJOR because this area is\nreally sensitive to any changes. FWIW, this change caused a regression during\ndevelopment and was reverted in this same released version.\n\n- BUG/MAJOR: stream: Force channel analysis on successful synchronous send\n\nThis reverts the change above due to a regression and fixes the underlying\nissue by adding a different flag instead of removing flags. This is set as\nMAJOR due to the fixed regression.\n\n- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers\n\nThis was already applied by the security team\n\n- MEDIUM: hlua: Add function to change the body length of an HTTP Message\n\nThis adds a new function for a lua filter to change the body length of an HTTP Message.\n\nNoble (24.04): HAProxy 2.8.16:\n\nBoth entries here were already discussed above for Plucky/Questing:\n\n- MEDIUM: hlua: Add function to change the body length of an HTTP Message\n- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers\n\nJammy (22.04): HAProxy 2.4.30:\n\nThe only entry here was already discussed above for Plucky/Questing:\n\n- BUG/CRITICAL: mjson: fix possible DoS when parsing numbers\n\n[Previous updates]\n\n- LP: #2012557\n- LP: #2028418\n- LP: #2112526", "date_last_updated": "Thu Jan 15 13:54:55 2026", "title": "New HAProxy upstream microreleases 2.4.30, 2.8.16, and 3.0.12", "source_package_name": "haproxy", "potential_assignee": "", "assignee": "athos", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.12", "status": "done", "importance": "Wishlist", "date_created": "Fri Oct 10 21:12:02 2025", "date_assigned": "Tue Oct 14 15:46:07 2025", "date_fix_released": "Thu Jan 15 13:54:53 2026", "date_data_refreshed": "Mon Apr 6 15:35:29 2026" }, { "id": "2127665", "description": "[Impact]\n\nThis bug tracks the following MRE updates for the OpenLDAP package:\n\n* MRE for latest stable OpenLDAP 2.5.x release, 2.5.20 (last planned 2.5 release).\n* MRE for latest stable OpenLDAP 2.6.x release, 2.6.10 (new LTS).\n\nSee https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/2QQNVWPUUG54JM7FGQHMMF3H4KS2PPKQ/ and https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/thread/H2THDP3JYECCPJ45BEGGEYYL44YRHUK7/\n\nThese updates are a best effort to only include bug fixes, following the\nSRU policy exception defined at https://documentation.ubuntu.com/sru/en/latest/reference/exception-OpenLDAP-Updates/.\n\n[Major Changes]\n\nSee the list of bugs fixed for 2.5.x here:\n- https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5/CHANGES\n  - https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/IXITZR4E6P5LAZ5FFQPE2222CRGKJVYS/\nFor 2.6.x:\n- https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_6/CHANGES\n  - https://lists.openldap.org/hyperkitty/list/openldap-announce@openldap.org/thread/QQ3AAIAKT6VVMGM7T2PRLGOKW4PABGQK/\n\n- we have a delta to fix bug #2090806, which is now in 2.6.9.\n\n[Test Plan]\n\nSee https://documentation.ubuntu.com/sru/en/latest/reference/exception-OpenLDAP-Updates/#qa\n\n1. Upstream gitlab pipeline results:\n\n- 2.6.10: https://git.openldap.org/openldap/openldap/-/pipelines/5935\n- 2.5.20: https://git.openldap.org/openldap/openldap/-/pipelines/5933\n\n2. Upstream \"call for testing\":\n\n- 2.5.20: https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/NFTXNTUS5WQFOPWHCGQFI2PFLJM22II5/\n- 2.6.10: https://lists.openldap.org/hyperkitty/list/openldap-technical@openldap.org/message/HGBDBYJ5O765LSAOLTPXNFFX3ZNBK7IR/\n\n3. As described in the MRE page for OpenLDAP, the test plan is to\n   build the package in a PPA and make sure that (a) all build-time\n   tests pass and (b) all autopkgtest runs (from reverse dependencies)\n   also pass.\n\n* Build logs confirming that the build-time testsuite has been\n  performed and completed successfully:\n - jammy builds and testsuite all green: https://launchpad.net/ubuntu/+source/openldap/2.5.20+dfsg-0ubuntu0.22.04.1\n  - noble builds and testsuite all green: https://launchpad.net/ubuntu/+source/openldap/2.6.10+dfsg-0ubuntu0.24.04.1\n\n* Test results:\n  - jammy all green: https://ubuntu-archive-team.ubuntu.com/proposed-migration/jammy/update_excuses.html#openldap\n - noble all green: https://ubuntu-archive-team.ubuntu.com/proposed-migration/noble/update_excuses.html#openldap\n\n[Where problems could occur]\n\nUpstream tests are always executed during build-time. There are many\nreverse dependencies whose dep8 tests depend on OpenLDAP so the coverage\nis good. Nevertheless, there is always a risk for something to break\nsince we are dealing with a microrelease upgrade. Whenever a test\nfailure is detected, we will be on top of it and make sure it doesn't\naffect existing users.\n\nAs usual we test and prep from the PPA and then push through\nSRU/Security as applicable.\n\n* Current versions in supported releases that got updates:\n  - openldap | 2.6.7+dfsg-1~exp1ubuntu8.2 | noble-updates\n  - openldap | 2.5.19+dfsg-0ubuntu0.22.04.1 | jammy-updates\n\n[Other Info]\n\nThis is a recurring effort. For reference, here are previous OpenLDAP SRU backports:\n\n* LP: #1977627\n* LP: #1983618\n* LP: #2007625\n* LP: #2027079\n* LP: #2029170\n* LP: #2040465\n* LP: #2067745\n* LP: #2112527", "date_last_updated": "Tue Feb 3 03:35:25 2026", "title": "Backport of openldap for jammy & noble", "source_package_name": "openldap", "potential_assignee": "", "assignee": "jj", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.01", "status": "", "importance": "Wishlist", "date_created": "Fri Oct 10 21:12:13 2025", "date_assigned": "Mon Oct 13 14:11:15 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:35:40 2026" }, { "id": "2127666", "description": "Title: Backport open-vm-tools version 2:13.0.0-2ubuntu1 to Noble (24.04)\n\n[ Impact ]\n\n* Without SRUing the newer version users get issues running on more\n   recent hypervisors.\n\n* This is not backporting a single fix, nor an MRE, but backporting the\n   version from the current Ubuntu release for platform enablement.\n\n* See https://documentation.ubuntu.com/sru/en/latest/reference/exception-OpenVMTools-Updates for more details\n\n[ Test Plan ]\n\n* VMWare QA Team does the qualification of these uploads as we don't have\n   a matrix of Host versions for that around. Once made available in -proposed\n   and passing build time tests the Server team will reach out to VMware to to\n   run their verification harness against the new build and confirming that\n   with a statement on the bug.\n\n* As an additional safety net we want to keep this in -proposed longer\n   than usual, suggesting >=14 days.\n\n[ Where problems could occur ]\n\n* It is a full new version which might contain new issues, but also\n   new fixes and we've had cases where this brought CVE coverage before\n   we needed backports for those. Still, worst you'd expect all that you\n   expect on a release-upgrade like deprecated features gone, handling\n   configuration differently or in general behaving differently by adding\n   (even wanted) new features.\n   Gladly the toolset has proven to be very stable at all that.\n\n[ Other Info ]\n\n* Mostly regressions seen on those backports would be the same as seen on\n   an upgrade to a new Ubuntu version with the new version of open-vm-tools.\n   Hence, unless other reasons like a former delay or an urgent need\n   cause a change, we try to do this early in the Ubuntu cycle backporting\n   the version released just recently.\n   For example the version that will go out with 24.10 is expected to be\n   proposed for 24.04 shortly, but after 24.10 is released so that we'd have\n   a chance to pick those regression reports up.\n\n* A few packaging changes were done as part of this backport, coming from the\n new version:\n - Patches were updated or removed as needed\n - There is now an explicit dependency on libcrypt-dev - which is indeed\n needed for the package to work properly, and was already being pulled\n in the version currently in Noble.", "date_last_updated": "Thu Mar 26 11:46:35 2026", "title": "Backport of open-vm-tools for noble", "source_package_name": "open-vm-tools", "potential_assignee": "", "assignee": "rr", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.04", "status": "started", "importance": "Wishlist", "date_created": "Fri Oct 10 21:12:25 2025", "date_assigned": "Tue Oct 21 15:33:17 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:35:52 2026" }, { "id": "2127667", "description": "[Impact]\n\n * MRE for latest stable fixes of Postgres 14, 16, and 17 released in November 2025.\n\n[Test Case]\n\n * The Postgres MREs traditionally rely on the large set of autopkgtests\n   to run for verification. In a PPA, those are all already pre-checked to\n   be good for this upload.\n\n[Regression Potential]\n\n * Upstream tests are usually great and in addition in the Archive there\n   are plenty of autopkgtests that in the past caught issues before being\n   released.\n   But nevertheless there always is a risk for something to break. Since\n   these are general stable releases I can't pinpoint them to a most-likely area.\n   - usually this works smoothly except a few test hiccups (flaky) that need to be clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)\n\n[Other Info]\n\n * This is a reoccurring MRE, see below and all the references\n * CVEs addressed by this MRE:\n  - CVE-2025-12817\n  - CVE-2025-12818\n\nCurrent versions in supported releases that got updates:\n\n postgresql-14 | 14.19-0ubuntu0.22.04.1 | jammy-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.10-0ubuntu0.24.04.1 | noble-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-17 | 17.6-0ubuntu0.25.04.1 | plucky-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-17 | 17.6-1build1 | questing | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n\nSpecial cases:\n- Since there are 2 CVEs being fixed here, we will push these MREs through the security pocket.\n- resolute is transitioning to postgresql-18, which contains those fixes as well. Therefore, we will not update posrgresql-17 there.\n\nStanding MRE - Consider last updates as template:\n\n- https://pad.lv/1637236\n- https://pad.lv/1664478\n- https://pad.lv/1690730\n- https://pad.lv/1713979\n- https://pad.lv/1730661\n- https://pad.lv/1747676\n- https://pad.lv/1752271\n- https://pad.lv/1786938\n- https://pad.lv/1815665\n- https://pad.lv/1828012\n- https://pad.lv/1833211\n- https://pad.lv/1839058\n- https://pad.lv/1863108\n- https://pad.lv/1892335\n- https://pad.lv/1915254\n- https://pad.lv/1928773\n- https://pad.lv/1939396\n- https://pad.lv/1950268\n- https://pad.lv/1961127\n- https://pad.lv/1973627\n- https://pad.lv/1978249\n- https://pad.lv/1984012\n- https://pad.lv/1996770\n- https://pad.lv/2006406\n- https://pad.lv/2019214\n- https://pad.lv/2028426\n- https://pad.lv/2040469\n- https://pad.lv/2067388\n- https://pad.lv/2076183\n- https://pad.lv/2085196\n- https://pad.lv/2099900\n- https://pad.lv/2110377\n- https://pad.lv/2112531\n\nAs usual we test and prep from the PPA and then push through SRU/Security as applicable.\n\nOnce ready, the test packages should be available at https://launchpad.net/~canonical-server/+archive/ubuntu/postgresql-sru-preparation/+packages", "date_last_updated": "Wed Dec 3 18:04:29 2025", "title": "New PostgreSQL upstream microreleases 14.20, 16.11, and 17.7", "source_package_name": "postgresql-16", "potential_assignee": "", "assignee": "athos", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-25.12", "status": "", "importance": "Wishlist", "date_created": "Fri Oct 10 21:12:37 2025", "date_assigned": "Mon Oct 13 13:45:45 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:36:09 2026" }, { "id": "2127668", "description": "[Impact]\n\n * MRE for latest stable fixes of Postgres 14, 16, and 17 released in February 2026. This will include the hotfixes also released in February, as discussed in https://www.postgresql.org/about/news/out-of-cycle-release-scheduled-for-february-26-2026-3241/.\n\n[Test Case]\n\n * The Postgres MREs traditionally rely on the large set of autopkgtests\n   to run for verification. In a PPA, those are all already pre-checked to\n   be good for this upload.\n\n[Regression Potential]\n\n * Upstream tests are usually great and in addition in the Archive there\n   are plenty of autopkgtests that in the past caught issues before being\n   released.\n   But nevertheless there always is a risk for something to break. Since\n   these are general stable releases I can't pinpoint them to a most-likely area.\n   - usually this works smoothly except a few test hiccups (flaky) that need to be clarified to be sure. Pre-checks will catch those to be discussed upfront (as last time)\n\n[Other Info]\n\n * This is a reoccurring MRE, see below and all the references\n * CVEs addressed by this MRE:\n  - CVE-2026-2003\n  - CVE-2026-2004\n  - CVE-2026-2005\n  - CVE-2026-2006\n  - CVE-2026-2007\n\nCurrent versions in supported releases that got updates:\n\n postgresql-14 | 14.20-0ubuntu0.22.04.1 | jammy-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-16 | 16.11-0ubuntu0.24.04.1 | noble-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n postgresql-17 | 17.7-0ubuntu0.25.10.1 | questing-security | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x\n\nSpecial cases:\n- Since there are 5 CVEs being fixed here, we will push these MREs through the security pocket.\n- resolute already got this new release for postgresql-18 (currently in proposed)\n\nStanding MRE - Consider last updates as template:\n\n- https://pad.lv/1637236\n- https://pad.lv/1664478\n- https://pad.lv/1690730\n- https://pad.lv/1713979\n- https://pad.lv/1730661\n- https://pad.lv/1747676\n- https://pad.lv/1752271\n- https://pad.lv/1786938\n- https://pad.lv/1815665\n- https://pad.lv/1828012\n- https://pad.lv/1833211\n- https://pad.lv/1839058\n- https://pad.lv/1863108\n- https://pad.lv/1892335\n- https://pad.lv/1915254\n- https://pad.lv/1928773\n- https://pad.lv/1939396\n- https://pad.lv/1950268\n- https://pad.lv/1961127\n- https://pad.lv/1973627\n- https://pad.lv/1978249\n- https://pad.lv/1984012\n- https://pad.lv/1996770\n- https://pad.lv/2006406\n- https://pad.lv/2019214\n- https://pad.lv/2028426\n- https://pad.lv/2040469\n- https://pad.lv/2067388\n- https://pad.lv/2076183\n- https://pad.lv/2085196\n- https://pad.lv/2099900\n- https://pad.lv/2110377\n- https://pad.lv/2112531\n- https://pad.lv/2127667\n\nAs usual we test and prep from the PPA and then push through SRU/Security as applicable.\n\nOnce ready, the test packages should be available at https://launchpad.net/~canonical-server/+archive/ubuntu/postgresql-sru-preparation/+packages", "date_last_updated": "Wed Mar 4 12:42:18 2026", "title": "New PostgreSQL upstream microreleases 14.22, 16.13, and 17.9", "source_package_name": "postgresql-16", "potential_assignee": "", "assignee": "athos", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.02", "status": "", "importance": "Wishlist", "date_created": "Fri Oct 10 21:12:52 2025", "date_assigned": "Mon Oct 13 13:45:38 2025", "date_fix_released": null, "date_data_refreshed": "Mon Apr 6 15:36:35 2026" }, { "id": "2127669", "description": "[Impact]\n\nThis bug tracks the following MRE updates for the Squid package:\n\n- Questing (25.10): 6.13 -> 6.14\n- Noble (24.04): 6.13 -> 6.14\n\nThis update is a best effort to only include bug fixes, following the SRU policy exception defined at https://documentation.ubuntu.com/project/SRU/reference/exception-Squid-Updates/.\n\n[Upstream changes]\n\nThe main changes seen in upstream for the 6.14 release are:\n- Do not get stuck in RESPMOD after pausing peer read(2)\n- Fix SNMP cacheNumObjCount -- number of cached objects\n- Do not duplicate received Surrogate-Capability in sent requests\n- Fix Mem::Segment::open() stub to fix build without shm_open()\n\nThe full upstream changelog can be checked in https://github.com/squid-cache/squid/blob/SQUID_6_14/ChangeLog\n\n[Test Plan]\nThe package builds in https://launchpad.net/~rr/+archive/ubuntu/backport-squid-lp2127669\nas seen, for example, in:\n- Noble: https://launchpadlibrarian.net/850179993/buildlog_ubuntu-noble-amd64.squid_6.14-0ubuntu0.24.04.1~ppa1_BUILDING.txt.gz\n- Questing: https://launchpadlibrarian.net/850180839/buildlog_ubuntu-questing-amd64.squid_6.14-0ubuntu0.25.10.1~ppa1_BUILDING.txt.gz\n\nAll tests are passing during build time, as shown in the build log\n(builds would fail otherwise, see LP: #2004050).\n\nResults of local autopkgtest run against all the new Squid versions\nbeing shown here:\n - squid: noble/squid/6.14-0ubuntu0.24.04.1~ppa1 [amd64]\n + ✅ squid on noble for amd64 @ 05.03.26 02:10:44 \n - squid: noble/squid/6.14-0ubuntu0.24.04.1~ppa1 [arm64]\n + ✅ squid on noble for arm64 @ 17.03.26 01:59:48 \n - squid: noble/squid/6.14-0ubuntu0.24.04.1~ppa1 [armhf]\n + ❌ squid on noble for armhf @ 05.03.26 02:15:07 \n • upstream-test-suite PASS 🟩\n • squid FAIL 🟥\n - squid: noble/squid/6.14-0ubuntu0.24.04.1~ppa1 [i386]\n + ❌ squid on noble for i386 @ 17.03.26 02:11:47 \n • upstream-test-suite FAIL 🟥\n • squid FAIL 🟥\n - squid: noble/squid/6.14-0ubuntu0.24.04.1~ppa1 [ppc64el]\n + ✅ squid on noble for ppc64el @ 05.03.26 02:35:36 \n - squid: noble/squid/6.14-0ubuntu0.24.04.1~ppa1 [riscv64]\n + ⛔ squid on noble for riscv64 @ 17.03.26 03:20:01 \n • testbed BAD ⛔\n - squid: noble/squid/6.14-0ubuntu0.24.04.1~ppa1 [s390x]\n + ✅ squid on noble for s390x @ 05.03.26 02:29:14 \n - squid: questing/squid/6.14-0ubuntu0.25.10.1~ppa1 [amd64]\n + ✅ squid on questing for amd64 @ 05.03.26 02:10:45 \n - squid: questing/squid/6.14-0ubuntu0.25.10.1~ppa1 [arm64]\n + ✅ squid on questing for arm64 @ 05.03.26 02:12:38 \n - squid: questing/squid/6.14-0ubuntu0.25.10.1~ppa1 [armhf]\n + ❌ squid on questing for armhf @ 05.03.26 02:15:29 \n • upstream-test-suite PASS 🟩\n • squid FAIL 🟥\n - squid: questing/squid/6.14-0ubuntu0.25.10.1~ppa1 [i386]\n + ❌ squid on questing for i386 @ 17.03.26 02:12:04 \n • upstream-test-suite FAIL 🟥\n • squid FAIL 🟥\n - squid: questing/squid/6.14-0ubuntu0.25.10.1~ppa1 [ppc64el]\n + ✅ squid on questing for ppc64el @ 05.03.26 02:12:23 \n - squid: questing/squid/6.14-0ubuntu0.25.10.1~ppa1 [riscv64]\n + ⛔ squid on questing for riscv64 @ 17.03.26 02:28:28 \n • testbed BAD ⛔\n - squid: questing/squid/6.14-0ubuntu0.25.10.1~ppa1 [s390x]\n + ✅ squid on questing for s390x @ 05.03.26 02:21:36 \n\n[Regression Potential]\n\nUpstream tests are always executed during build-time. Failures would\nprevent builds from succeeding.\n\nSquid does not have many reverse dependencies. However, any upgrade is a\nrisk to introduce breakage to other packages. Whenever a regression\noccurs in autopkgtests, we will investigate and provide fixes.\n\n[Other Info]\n\nNo CVEs are being addressed this time. Therefore, this should go through the updates pocket.\n\nThis is a recurring effort. For reference, previous previous Squid SRU backports:\n\n* LP: #2013423 5.7 for Jammy\n* LP: #2040470 5.9 for Jammy\n* LP: #2073322 6.10 for Noble\n* LP: #2085197 6.13 for Noble", "date_last_updated": "Tue Mar 24 18:23:56 2026", "title": "Backport of squid for noble and questing", "source_package_name": "squid", "potential_assignee": "", "assignee": "rr", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.03", "status": "done", "importance": "Wishlist", "date_created": "Fri Oct 10 21:13:05 2025", "date_assigned": "Wed Nov 5 08:27:32 2025", "date_fix_released": "Tue Mar 24 18:23:55 2026", "date_data_refreshed": "Mon Apr 6 15:36:44 2026" }, { "id": "2142590", "description": "This bug tracks an update for the Valkey package, moving to versions:\n\n* resolute (26.04) - 9.0.3\n* questing (25.10) - 8.1.6\n* noble (24.04) - 7.2.12\n\nThese updates include bug fixes following the SRU special case documentation at https://documentation.ubuntu.com/sru/en/latest/reference/exception-Valkey-Updates\n\n[Upstream changes]\n\nCVE Fixes:\n\nAll versions:\n(CVE-2025-67733) RESP Protocol Injection via Lua error_reply\n(CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message\n\n9.0.x:\n(CVE-2026-27623) Reset request type after handling empty requests\n\nAdditional bug fixes:\n\n9.0.3:\n\nhttps://github.com/valkey-io/valkey/pull/3160\nhttps://github.com/valkey-io/valkey/pull/3182\nhttps://github.com/valkey-io/valkey/pull/3205\n\n8.1.5-8.1.6:\n\nhttps://github.com/valkey-io/valkey/pull/2944\nhttps://github.com/valkey-io/valkey/pull/2983\nhttps://github.com/valkey-io/valkey/pull/3005\nhttps://github.com/valkey-io/valkey/pull/3160\nhttps://github.com/valkey-io/valkey/pull/3182\nhttps://github.com/valkey-io/valkey/pull/3205\nhttps://github.com/valkey-io/valkey/pull/1826\nhttps://github.com/valkey-io/valkey/pull/2753\nhttps://github.com/valkey-io/valkey/pull/2817\nhttps://github.com/valkey-io/valkey/pull/2840\nhttps://github.com/valkey-io/valkey/pull/2899\n\n7.2.12\n\nhttps://github.com/valkey-io/valkey/pull/2787\nhttps://github.com/valkey-io/valkey/pull/2830\nhttps://github.com/valkey-io/valkey/pull/3160\n\nchangelog - https://github.com/valkey-io/valkey/releases\n\nBased on release notes and commit logs, I do not see any backwards-incompatible changes that will affect users in the new versions.\n\nAdditionally, for the upload to questing, I am including the recent change added to resolute where the maxmemory test is skipped at build time, as it often causes archive builds to fail due to timeouts.\n\n[Test Plan]\n\nValkey autopkgtests:\n\nDirect links for autopkgtest results on amd64:\n\nhttps://autopkgtest.ubuntu.com/results/autopkgtest-resolute-lvoytek-valkey-sru/resolute/amd64/v/valkey/20260224_193852_d8c8b@/log.gz\n\nhttps://autopkgtest.ubuntu.com/results/autopkgtest-questing-lvoytek-valkey-sru/questing/amd64/v/valkey/20260224_200406_6008a@/log.gz\n\nhttps://autopkgtest.ubuntu.com/results/autopkgtest-noble-lvoytek-valkey-sru/noble/amd64/v/valkey/20260224_193905_c799b@/log.gz\n\nAll other architectures were also successful against the PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/valkey-sru\n\n[Regression Potential]\n\nUpstream has an extensive build and integration test suite. So regressions would likely arise from a change in interaction with Ubuntu-specific integrations.\n\nPrevious Backports:\n(LP: #2127122)\n(LP: #2097546)\n(LP: #2091129)\n(LP: #2115258)", "date_last_updated": "Mon Mar 16 12:38:30 2026", "title": "Update Valkey to 7.2.12 in noble, 8.1.6 in questing, and 9.0.3 in resolute", "source_package_name": "valkey", "potential_assignee": "", "assignee": "lvoytek", "ubuntu_released_version": "", "ubuntu_proposed_version": "", "debian_unstable_version": "", "debian_new_version": "", "upstream_version": "", "target_milestone": "ubuntu-26.02", "status": "done", "importance": "Undecided", "date_created": "Tue Feb 24 13:11:39 2026", "date_assigned": "Tue Feb 24 13:12:02 2026", "date_fix_released": "Thu Feb 26 05:29:33 2026", "date_data_refreshed": "Mon Apr 6 15:38:24 2026" } ]