A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apport: 2.20.11-0ubuntu27.24 => 2.20.11-0ubuntu27.25 * expat: 2.2.9-1ubuntu0.4 => 2.2.9-1ubuntu0.6 * linux-meta: 5.4.0.132.132 => 5.4.0.135.133 * linux-signed: 5.4.0-132.148 => 5.4.0-135.152 * multipath-tools: 0.8.3-1ubuntu2 => 0.8.3-1ubuntu2.1 * shadow: 1:4.8.1-1ubuntu5.20.04.2 => 1:4.8.1-1ubuntu5.20.04.4 * snapd: 2.57.5+20.04 => 2.57.5+20.04ubuntu0.1 * systemd: 245.4-4ubuntu3.18 => 245.4-4ubuntu3.19 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-135-generic': '5.4.0-135.152', 'linux-headers-5.4.0-135': '5.4.0-135.152', 'linux-modules-5.4.0-135-generic': '5.4.0-135.152'} removed: {'linux-headers-5.4.0-132': '5.4.0-132.148', 'linux-headers-5.4.0-132-generic': '5.4.0-132.148', 'linux-modules-5.4.0-132-generic': '5.4.0-132.148'} changed: ['apport', 'kpartx', 'libexpat1:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-135-generic', 'linux-image-virtual', 'linux-virtual', 'login', 'multipath-tools', 'passwd', 'python3-apport', 'python3-problem-report', 'snapd', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'udev'] new snaps: {} removed snaps: {} changed snaps: ['lxd', 'snapd'] ==== apport: 2.20.11-0ubuntu27.24 => 2.20.11-0ubuntu27.25 ==== ==== apport python3-apport python3-problem-report * Point Vcs-* URIs to git * whoopsie-upload-all: Catch FileNotFoundError during process_report (LP: #1867204) * Grab a slice of JournalErrors around the crash time (LP: #1962454) * data/apport: - Initialize error log as first step (LP: #1989467) - Fix PermissionError for setuid programs inside container (LP: #1982487) - Fix reading from stdin inside containers (LP: #1982555) * Fix autopkgtest test case failures (LP: #1989467): - Mark autopkgtest with isolation-container restriction - Fix failure if kernel module isofs is not installed - Do not check recommended dependencies - Skip UI test if kernel thread is not found - Fix race in test_crash_system_slice - Fix check for not running test executable - Use shadow in *_different_binary_source - Mock kernel package version in UI test - Fix test_kerneloops_nodetails if kernel is not installed - Drop broken test_crash_setuid_drop_and_kill - Expect linux-signed on arm64/s390x as well - Skip SegvAnalysis for non x86 architectures - Use unlimited core ulimit for SIGQUIT test - Fix race with progress window in GTK UI tests - Use sleep instead of yes for tests - Fix test_add_gdb_info_script on armhf - Fix wrong Ubuntu archive URI on ports - Fix KeyError in test_install_packages_unversioned - Depend on python3-systemd for container tests - Depend on psmisc for killall binary - Replace missing oxideqt-codecs - Drop broken test_install_packages_from_launchpad - Fix test_install_packages_permanent_sandbox* for s390x ==== expat: 2.2.9-1ubuntu0.4 => 2.2.9-1ubuntu0.6 ==== ==== libexpat1:amd64 * SECURITY UPDATE: use-after-free - debian/patches/CVE-2022-43680-1.patch: adds tests to cover DTD destruction in XML_ExternalEntityParserCreate in expat/tests/runtests.c. - debian/patches/CVE-2022-43680-2.patch: fix overeager DTD destruction in XML_ExternalEntityParserCreate in expat/lib/xmlparse.c. - CVE-2022-43680 * SECURITY UPDATE: Use-after-free in doContent - debian/patches/CVE-2022-40674.patch: ensure storeRawNames() is always called in func internalEntityProcessor if handling unbalanced tags in expat/lib/xmlparse.c. - CVE-2022-40674 ==== linux-meta: 5.4.0.132.132 => 5.4.0.135.133 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-135 ==== linux-signed: 5.4.0-132.148 => 5.4.0-135.152 ==== ==== linux-image-5.4.0-135-generic * Master version: 5.4.0-135.152 ==== multipath-tools: 0.8.3-1ubuntu2 => 0.8.3-1ubuntu2.1 ==== ==== kpartx multipath-tools * SECURITY UPDATE: symlink attack - debian/patches/CVE-2022-41973.patch: use /run instead of /dev/shm in .gitignore, Makefile.inc, libmultipath/defaults.h, multipath/Makefile, multipath/multipath.rules.in, multipath/tmpfiles.conf.in. - debian/multipath-tools.install, debian/multipath-udeb.install: install tmpfiles.d/multipath.conf. - debian/rules: copy udev rule after build. - CVE-2022-41973 * SECURITY UPDATE: authorization bypass - debian/patches/CVE-2022-41974.patch: ignore duplicated multipathd command keys in multipathd/main.c, multipathd/cli.c. - CVE-2022-41974 ==== shadow: 1:4.8.1-1ubuntu5.20.04.2 => 1:4.8.1-1ubuntu5.20.04.4 ==== ==== login passwd * SECURITY REGRESSION: useradd command does not copy all of /etc/skel (LP: #1998169) - debian/patches/CVE-2013-4235-pre1.patch: removed - debian/patches/CVE-2013-4235-pre2.patch: removed - debian/patches/CVE-2013-4235-1.patch: removed - debian/patches/CVE-2013-4235-2.patch: removed - debian/patches/CVE-2013-4235-3.patch: removed - debian/patches/CVE-2013-4235-4.patch: removed - debian/patches/CVE-2013-4235-5.patch: removed - debian/patches/CVE-2013-4235-6.patch: removed - debian/patches/CVE-2013-4235-7.patch: removed - debian/patches/CVE-2013-4235-post1.patch: removed - debian/patches/CVE-2013-4235-post2.patch: removed - debian/patches/CVE-2013-4235-post3.patch: removed * SECURITY UPDATE: race condition when copying and removing directory trees - debian/patches/CVE-2013-4235-pre1.patch: add nofollow to opens. - debian/patches/CVE-2013-4235-pre2.patch: prepare context for actual file type (set_selinux_file_context). - debian/patches/CVE-2013-4235-1.patch: avoid races in chown_tree(). - debian/patches/CVE-2013-4235-2.patch: avoid races in remove_tree(). - debian/patches/CVE-2013-4235-3.patch: require symlink support. - debian/patches/CVE-2013-4235-4.patch: fail if regular file pre-exists in copy_tree(). - debian/patches/CVE-2013-4235-5.patch: more robust file content copy in copy_tree(). - debian/patches/CVE-2013-4235-6.patch: address minor compiler warnings. - debian/patches/CVE-2013-4235-7.patch: avoid races in copy_tree(). - debian/patches/CVE-2013-4235-post1.patch: use fchmodat instead of chmod (copy_tree). - debian/patches/CVE-2013-4235-post2.patch: do not block on fifos (copy_tree). - debian/patches/CVE-2013-4235-post3.patch: carefully treat permissions (copy_tree). - CVE-2013-4235 ==== snapd: 2.57.5+20.04 => 2.57.5+20.04ubuntu0.1 ==== ==== snapd * SECURITY UPDATE: Local privilege escalation - snap-confine: Fix race condition in snap-confine when preparing a private tmp mount namespace for a snap - CVE-2022-3328 ==== systemd: 245.4-4ubuntu3.18 => 245.4-4ubuntu3.19 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev [ dann frazier ] * Add support for the v247 network naming scheme, but keep v245 as default (LP: #1945225) Author: dann frazier Files: - debian/patches/lp1945225/0001-udev-net_id-parse-_SUN-ACPI-index-as-a-signed-intege.patch - debian/patches/lp1945225/0002-udev-net_id-don-t-generate-slot-based-names-if-multi.patch - debian/patches/lp1945225/0003-net_id-fix-newly-added-naming-scheme-name.patch - debian/patches/lp1945225/0004-Add-remaining-supported-schemes-as-options-for-defau.patch - debian/rules https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f569231b5134a8e4901621ee5b2c33826184dae6 [ Dimitri John Ledkov ] * test: fix test-execute autotest failure with kernel 5.15 (LP: #1975587) File: debian/patches/test-make-test-execute-pass-on-Linux-5.15.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=7b3140ab5916269c020978ce678f06869a769f5c -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20221201/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20221115.1/