A new release of the Ubuntu Cloud Images for stable Ubuntu release 18.04 LTS (Bionic Beaver) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * cloud-init: 23.1.1-0ubuntu0~18.04.1 => 23.1.2-0ubuntu0~18.04.1 * git: 1:2.17.1-1ubuntu0.17 => 1:2.17.1-1ubuntu0.18 * linux-meta: 4.15.0.209.192 => 4.15.0.210.193 * linux-signed: 4.15.0-209.220 => 4.15.0-210.221 The following is a complete changelog for this image. new: {'linux-headers-4.15.0-210': '4.15.0-210.221', 'linux-headers-4.15.0-210-generic': '4.15.0-210.221', 'linux-modules-4.15.0-210-generic': '4.15.0-210.221'} removed: {'linux-headers-4.15.0-209': '4.15.0-209.220', 'linux-headers-4.15.0-209-generic': '4.15.0-209.220', 'linux-modules-4.15.0-209-generic': '4.15.0-209.220'} changed: ['cloud-init', 'git', 'git-man', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.15.0-210-generic', 'linux-image-virtual', 'linux-virtual'] new snaps: {} removed snaps: {} changed snaps: [] ==== cloud-init: 23.1.1-0ubuntu0~18.04.1 => 23.1.2-0ubuntu0~18.04.1 ==== ==== cloud-init * SECURITY UPDATE: Make user/vendor data sensitive and remove log permissions Because user data and vendor data may contain sensitive information, this commit ensures that any user data or vendor data written to instance-data.json gets redacted and is only available to root user. Also, modify the permissions of cloud-init.log to be 640, so that sensitive data leaked to the log isn't world readable. Additionally, remove the logging of user data and vendor data to cloud-init.log from the Vultr datasource. This is based on upstream snapshot of 23.1.2 [(LP: #2013967)] - d/cloud-init.postinst: postinst fixes for LP: #2013967 Redact sensitive keys from world-readable instance-data.json on upgrade. Set perms 640 for /var/log/cloud-init.log on pkg upgrade. Redact sensitive Vultr messages from /var/log/cloud-init.log - (CVE-2023-1786) ==== git: 1:2.17.1-1ubuntu0.17 => 1:2.17.1-1ubuntu0.18 ==== ==== git git-man * SECURITY UPDATE: Overwriting path - debian/patches/CVE-2023_25652_25815_29007/0022-*.patch: apply --reject overwriting existing .rej symlink if it exists in apply.c, t/t4115-apply-symlink.sh. - CVE-2023-25652 * SECURITY UPDATE: Malicious placement of crafted messages - debian/patches/CVE-2023_25652_25815_29007/0024-*patch: avoid using gettext if the locale dir is not present in gettext.c. - CVE-2023-25815 * SECURITY UPDATE: Arbitrary configuration injection - debian/patches/CVE-2023_25652_25815_29007/0025-*.patch: avoid fixed-sized buffer when renaming/deleting a section in config.c. - debian/patches/CVE-2023_25652_25815_29007/0026-*.patch: avoid integer truncation in copy_or_rename_section_in_file() in config.c. - debian/patches/CVE-2023_25652_25815_29007/0027-*.patch: disallow overly-long lines in copy_or_rename_section_in_file in config.c. - CVE-2023-29007 ==== linux-meta: 4.15.0.209.192 => 4.15.0.210.193 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.15.0-210 ==== linux-signed: 4.15.0-209.220 => 4.15.0-210.221 ==== ==== linux-image-4.15.0-210-generic * Master version: 4.15.0-210.221 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master -- [1] http://cloud-images.ubuntu.com/releases/bionic/release-20230502/ [2] http://cloud-images.ubuntu.com/releases/bionic/release-20230425/