{
    "summary": {
        "snap": {
            "added": [],
            "removed": [],
            "diff": []
        },
        "deb": {
            "added": [],
            "removed": [],
            "diff": [
                "amd64-microcode",
                "perl-base",
                "tar"
            ]
        }
    },
    "diff": {
        "deb": [
            {
                "name": "amd64-microcode",
                "from_version": {
                    "source_package_name": "amd64-microcode",
                    "source_package_version": "3.20250311.1ubuntu0.24.04.1",
                    "version": "3.20250311.1ubuntu0.24.04.1"
                },
                "to_version": {
                    "source_package_name": "amd64-microcode",
                    "source_package_version": "3.20251202.1ubuntu0.24.04.1",
                    "version": "3.20251202.1ubuntu0.24.04.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2025-62626",
                        "url": "https://ubuntu.com/security/CVE-2025-62626",
                        "cve_description": "Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-11-21 19:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2024-36350",
                        "url": "https://ubuntu.com/security/CVE-2024-36350",
                        "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-07-08 17:15:00 UTC"
                    },
                    {
                        "cve": "CVE-2024-36357",
                        "url": "https://ubuntu.com/security/CVE-2024-36357",
                        "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.",
                        "cve_priority": "medium",
                        "cve_public_date": "2025-07-08 17:15:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2025-62626",
                                "url": "https://ubuntu.com/security/CVE-2025-62626",
                                "cve_description": "Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-11-21 19:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2024-36350",
                                "url": "https://ubuntu.com/security/CVE-2024-36350",
                                "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-07-08 17:15:00 UTC"
                            },
                            {
                                "cve": "CVE-2024-36357",
                                "url": "https://ubuntu.com/security/CVE-2024-36357",
                                "cve_description": "A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.",
                                "cve_priority": "medium",
                                "cve_public_date": "2025-07-08 17:15:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  [ Henrique de Moraes Holschuh ]",
                            "  * Update package data from linux-firmware 20251202",
                            "    * ATTENTION: regression risk if backported to stable or LTS.",
                            "      The amd processor microcode updates in this release will not load on",
                            "      systems with outdated BIOS vulnerable to \"Entrysign\" unless a number of",
                            "      kernel patches are present.",
                            "    * amd-tee: update AMD PMF TA Firmware to v3.1.",
                            "    * amd-ucode: update with release 2025-12-02:",
                            "      + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626)",
                            "        Fix RDSEED Failure on more AMD Zen 5 Processor models",
                            "        (closes: #1120005)",
                            "    * amd-ucode: update with release 2025-11-13:",
                            "      + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626)",
                            "        Fix RDSEED Failure on more AMD Zen 5 Processor models",
                            "    * amd-ucode: update with release 2025-10-30:",
                            "      + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626)",
                            "        Fix RDSEED Failure on some AMD Zen 5 Processor models",
                            "    + amd-ucode: update with release 2025-10-27:",
                            "      * This is the final microcode release for systems that have not",
                            "        been updated to fix vulnerability AMD-SB-7033 \"Entrysign\").",
                            "      * A kernel update is needed for the microcode driver to be able",
                            "        to select the appropriate microcode updates for outdated system",
                            "        firmware vulnerable to \"Entrysign\".",
                            "      * On non-updated kernels, this will potentially *regress* the",
                            "        microcode version on the running system back to the one in the",
                            "        (outdated, unpatched-for-Entrysign) BIOS.",
                            "    + amd-ucode: update with release 2025-07-29:",
                            "      + SECURITY UPDATE (AMD-SB-7029: CVE-2024-36350, CVE-2024-36357):",
                            "        Mitigate transient execution vulnerabilities in some AMD processors",
                            "        which might allow an attacker to infer data from previous stores",
                            "        (TSA-SQ) or data in the L1D cache (TSA-L1), potentially resulting in",
                            "        the leakage of privileged information and sensitive information across",
                            "        priviledged boundaries (closes: #1109035)",
                            "      * NOTE: Requires kernel and hypervisor changes for the security",
                            "        mitigations to be applied (issue VERW instruction at appropriate",
                            "        times).",
                            "  * NEWS.Debian: update for post-Entrysign microcode updates",
                            "    Document that kernel patches are needed to avoid regressing the microcode",
                            "    release on vulnerable Zen2/3/4 systems (family 0x19), and also that these",
                            "    systems will not receive any future microcode updates.",
                            "",
                            "  [ Rodrigo Figueiredo Zaiden ]",
                            "  * Remaining changes:",
                            "    - debian/initramfs.hook: initramfs-tools hook:",
                            "      + Default to 'early' instead of 'auto' when building with",
                            "        MODULES=most",
                            "      + Do not override preset defaults from auto-exported conf",
                            "        snippets loaded by initramfs-tools.",
                            ""
                        ],
                        "package": "amd64-microcode",
                        "version": "3.20251202.1ubuntu0.24.04.1",
                        "urgency": "medium",
                        "distributions": "noble-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Rodrigo Figueiredo Zaiden <rodrigo.zaiden@canonical.com>",
                        "date": "Tue, 23 Jun 2026 10:53:03 -0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "perl-base",
                "from_version": {
                    "source_package_name": "perl",
                    "source_package_version": "5.38.2-3.2ubuntu0.2",
                    "version": "5.38.2-3.2ubuntu0.2"
                },
                "to_version": {
                    "source_package_name": "perl",
                    "source_package_version": "5.38.2-3.2ubuntu0.3",
                    "version": "5.38.2-3.2ubuntu0.3"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-42496",
                        "url": "https://ubuntu.com/security/CVE-2026-42496",
                        "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.  _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.  A subsequent open through the extracted name reads or writes the attacker chosen path.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 02:16:00 UTC"
                    },
                    {
                        "cve": "CVE-2026-8376",
                        "url": "https://ubuntu.com/security/CVE-2026-8376",
                        "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.  Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.  A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-05-26 00:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-42496",
                                "url": "https://ubuntu.com/security/CVE-2026-42496",
                                "cve_description": "Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory.  _make_special_file() passes the tar header's linkname to symlink() without validating it against absolute paths or .. segments. The secure-extract mode check that guards regular file extraction does not cover the symlink target.  A subsequent open through the extracted name reads or writes the attacker chosen path.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 02:16:00 UTC"
                            },
                            {
                                "cve": "CVE-2026-8376",
                                "url": "https://ubuntu.com/security/CVE-2026-8376",
                                "cve_description": "Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.  Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.  A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-05-26 00:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: path traversal in Archive::Tar symlink/hardlink extraction",
                            "    - debian/patches/CVE-2026-42496.patch: validate symlink and hardlink",
                            "      targets against absolute paths and directory traversal in",
                            "      cpan/Archive-Tar/lib/Archive/Tar.pm",
                            "    - CVE-2026-42496",
                            "  * SECURITY UPDATE: integer overflow in regular expression compiler",
                            "    - debian/patches/CVE-2026-8376_1.patch: add test cases for heap buffer",
                            "      overflow via quantified fixed-string regex in t/re/pat_psycho.t",
                            "    - debian/patches/CVE-2026-8376_2.patch: add overflow check before",
                            "      fixed-string buffer allocation in regcomp.c / regcomp_study.c",
                            "    - CVE-2026-8376",
                            ""
                        ],
                        "package": "perl",
                        "version": "5.38.2-3.2ubuntu0.3",
                        "urgency": "high",
                        "distributions": "noble-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Chrisa Oikonomou <chrisa.oikonomou@canonical.com>",
                        "date": "Fri, 12 Jun 2026 16:42:23 +0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            },
            {
                "name": "tar",
                "from_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-3build1",
                    "version": "1.35+dfsg-3build1"
                },
                "to_version": {
                    "source_package_name": "tar",
                    "source_package_version": "1.35+dfsg-3ubuntu0.1",
                    "version": "1.35+dfsg-3ubuntu0.1"
                },
                "cves": [
                    {
                        "cve": "CVE-2026-5704",
                        "url": "https://ubuntu.com/security/CVE-2026-5704",
                        "cve_description": "A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.",
                        "cve_priority": "medium",
                        "cve_public_date": "2026-04-06 16:16:00 UTC"
                    }
                ],
                "launchpad_bugs_fixed": [],
                "changes": [
                    {
                        "cves": [
                            {
                                "cve": "CVE-2026-5704",
                                "url": "https://ubuntu.com/security/CVE-2026-5704",
                                "cve_description": "A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.",
                                "cve_priority": "medium",
                                "cve_public_date": "2026-04-06 16:16:00 UTC"
                            }
                        ],
                        "log": [
                            "",
                            "  * SECURITY UPDATE: file injection via crafted archive",
                            "    - debian/patches/CVE-2026-5704.patch: always call skip_member() after",
                            "      extraction in src/extract.c, fix skim_member() to skip directory data",
                            "      in src/list.c, remove conditional skip_member() call from",
                            "      purge_directory in src/incremen.c",
                            "    - CVE-2026-5704",
                            ""
                        ],
                        "package": "tar",
                        "version": "1.35+dfsg-3ubuntu0.1",
                        "urgency": "medium",
                        "distributions": "noble-security",
                        "launchpad_bugs_fixed": [],
                        "author": "Leonidas Da Silva Barbosa <leo.barbosa@canonical.com>",
                        "date": "Fri, 19 Jun 2026 11:00:21 -0300"
                    }
                ],
                "notes": null,
                "is_version_downgrade": false
            }
        ],
        "snap": []
    },
    "added": {
        "deb": [],
        "snap": []
    },
    "removed": {
        "deb": [],
        "snap": []
    },
    "notes": "Changelog diff for Ubuntu 24.04 noble image from daily image serial 20260619 to 20260626",
    "from_series": "noble",
    "to_series": "noble",
    "from_serial": "20260619",
    "to_serial": "20260626",
    "from_manifest_filename": "daily_manifest.previous",
    "to_manifest_filename": "manifest.current"
}