A new release of the Ubuntu Cloud Images for stable Ubuntu release 18.04 LTS (Bionic Beaver) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with:
   'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'.

The following packages have been updated. Please see the full changelogs
for a complete listing of changes:
 * cloud-init: 22.4.2-0ubuntu0~18.04.1 => 23.1.1-0ubuntu0~18.04.1 
 * curl: 7.58.0-2ubuntu3.23 => 7.58.0-2ubuntu3.24 
 * krb5: 1.16-2ubuntu0.3 => 1.16-2ubuntu0.4 
 * libunwind: 1.2.1-8 => 1.2.1-8ubuntu0.1 
 * python3.6: 3.6.9-1~18.04ubuntu1.9 => 3.6.9-1~18.04ubuntu1.12 
 * rsync: 3.1.2-2.1ubuntu1.5 => 3.1.2-2.1ubuntu1.6 
 * systemd: 237-3ubuntu10.56 => 237-3ubuntu10.57 
 * vim: 2:8.0.1453-1ubuntu1.10 => 2:8.0.1453-1ubuntu1.11 


The following is a complete changelog for this image.
new: {}
removed: {}
changed: ['cloud-init', 'curl', 'krb5-locales', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libgssapi-krb5-2:amd64', 'libk5crypto3:amd64', 'libkrb5-3:amd64', 'libkrb5support0:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libpython3.6-minimal:amd64', 'libpython3.6-stdlib:amd64', 'libpython3.6:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'libunwind8:amd64', 'python3.6', 'python3.6-minimal', 'rsync', 'systemd', 'systemd-sysv', 'udev', 'vim', 'vim-common', 'vim-runtime', 'vim-tiny', 'xxd']
new snaps: {}
removed snaps: {}
changed snaps: []
==== cloud-init: 22.4.2-0ubuntu0~18.04.1 => 23.1.1-0ubuntu0~18.04.1 ====
====     cloud-init
  * d/patches/netplan99-cannot-use-default.patch:
    - Retain routes' definitions compatible with netplan 0.99
  * d/patches/retain-netplan-world-readable.patch:
    - Retain original world-readable perms of /etc/netplan/50-cloud-init.yaml.
      Lunar made the config root read-only.
  * refresh patches:
    + debian/patches/expire-on-hashed-users.patch
  * Upstream snapshot based on 23.1.1. (LP: #2008230).
    List of changes from upstream can be found at
    https://raw.githubusercontent.com/canonical/cloud-init/23.1.1/ChangeLog
==== curl: 7.58.0-2ubuntu3.23 => 7.58.0-2ubuntu3.24 ====
====     curl libcurl3-gnutls:amd64 libcurl4:amd64
  * SECURITY UPDATE: TELNET option IAC injection
    - debian/patches/CVE-2023-27533.patch: only accept option arguments in
      ascii in lib/telnet.c.
    - CVE-2023-27533
  * SECURITY UPDATE: SFTP path ~ resolving discrepancy
    - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir
      ends with one in lib/curl_path.c.
    - debian/patches/CVE-2023-27534.patch: properly handle tilde character
      in lib/curl_path.c.
    - CVE-2023-27534
  * SECURITY UPDATE: FTP too eager connection reuse
    - debian/patches/CVE-2023-27535.patch: add more conditions for
      connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h.
    - CVE-2023-27535
  * SECURITY UPDATE: GSS delegation too eager connection re-use
    - debian/patches/CVE-2023-27536.patch: only reuse connections with same
      GSS delegation in lib/url.c, lib/urldata.h.
    - CVE-2023-27536
  * SECURITY UPDATE: SSH connection too eager reuse still
    - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse
      check in lib/url.c.
    - CVE-2023-27538
==== krb5: 1.16-2ubuntu0.3 => 1.16-2ubuntu0.4 ====
====     krb5-locales libgssapi-krb5-2:amd64 libk5crypto3:amd64 libkrb5-3:amd64 libkrb5support0:amd64
  * SECURITY UPDATE: Null pointer dereference issue
    - debian/patches/CVE-2021-36222.patch: Fix KDC null deref on bad
      encrypted challenge
    - debian/patches/CVE-2021-37750.patch: Fix KDC null deref on TGS inner
      body null server
    - CVE-2021-36222
    - CVE-2021-37750
==== libunwind: 1.2.1-8 => 1.2.1-8ubuntu0.1 ====
====     libunwind8:amd64
  * Manually enable C++ exception support only on i386 and amd64,
    it is known broken on several other architectures.
    Thanks to Bernhard belacker. (Closes: #923962) (LP: #1999104)
==== python3.6: 3.6.9-1~18.04ubuntu1.9 => 3.6.9-1~18.04ubuntu1.12 ====
====     libpython3.6-minimal:amd64 libpython3.6-stdlib:amd64 libpython3.6:amd64 python3.6 python3.6-minimal
  * SECURITY UPDATE: Possible Bypass Blocklisting
    - debian/patches/CVE-2023-24329.patch: enforce
      that a scheme must begin with an alphabetical ASCII character
      in Lib/urllib/parse.py, Lib/test/test_urlparse.py.
    - CVE-2023-24329
  * SECURITY UPDATE: Buffer overflow in SHA3 (Keccak)
    - debian/patches/CVE-2022-37454.patch: fix a buffer overflow in
      Modules/_sha3/kcp/KeccakSponge.inc, Lib/test/test_hashlib.py
     (LP: #1995197).
    - CVE-2022-37454
==== rsync: 3.1.2-2.1ubuntu1.5 => 3.1.2-2.1ubuntu1.6 ====
====     rsync
  * SECURITY UPDATE: arbitrary file write via malicious remote servers
    - d/p/z-CVE-2022-29154-{1,2}.diff: backported patches to fix the issue.
    - d/p/z-CVE-2022-29154-3.diff: added additional patch to fix
      regression.
    - CVE-2022-29154
==== systemd: 237-3ubuntu10.56 => 237-3ubuntu10.57 ====
====     libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv udev
  * SECURITY UPDATE: buffer overrun vulnerability in format_timespan()
    - debian/patches/CVE-2022-3821.patch: time-util: fix buffer-over-run
    - CVE-2022-3821
==== vim: 2:8.0.1453-1ubuntu1.10 => 2:8.0.1453-1ubuntu1.11 ====
====     vim vim-common vim-runtime vim-tiny xxd
  * SECURITY UPDATE: NULL pointer dereference when creating blank mouse
    pointer
    - debian/patches/CVE-2022-47024.patch: only use the return value of
      XChangeGC() when it is not NULL.
    - CVE-2022-47024
  * SECURITY UPDATE: invalid memory access with bad 'statusline' value 
    - debian/patches/CVE-2023-0049.patch: avoid going over the NULL at the end
      of a statusline.
    - CVE-2023-0049
  * SECURITY UPDATE: invalid memory access with recursive substitute
    expression 
    - debian/patches/CVE-2023-0054.patch: check the return value of
      vim_regsub().
    - CVE-2023-0054
  * SECURITY UPDATE: invalid memory access with folding and using "L" 
    - debian/patches/CVE-2023-0288.patch: prevent the cursor from moving to
      line zero.
    - CVE-2023-0288
  * SECURITY UPDATE: reading past the end of a line when formatting text 
    - debian/patches/CVE-2023-0433.patch: check for not going over the end of
      the line.
    - CVE-2023-0433
  * SECURITY UPDATE: heap based buffer overflow vulnerability
    - debian/patches/CVE-2023-1170.patch: accessing invalid memory with put
      in Visual block mode
    - CVE-2023-1170
  * SECURITY UPDATE: incorrect calculation of buffer size
    - debian/patches/CVE-2023-1175.patch: illegal memory access when using
      virtual editing
    - CVE-2023-1175

--
[1] http://cloud-images.ubuntu.com/releases/bionic/release-20230322/
[2] http://cloud-images.ubuntu.com/releases/bionic/release-20230303/