A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * cloud-init: 20.4.1-0ubuntu1~16.04.1 => 21.1-19-gbad84ad4-0ubuntu1~16.04.1 * libseccomp: 2.4.3-1ubuntu3.16.04.3 => 2.5.1-1ubuntu1~16.04.1 * linux-meta: 4.4.0.208.214 => 4.4.0.209.215 * linux-signed: 4.4.0-208.240 => 4.4.0-209.241 * nettle: 3.2-1ubuntu0.16.04.1 => 3.2-1ubuntu0.16.04.2 * systemd: 229-4ubuntu21.29 => 229-4ubuntu21.31 The following is a complete changelog for this image. new: {'linux-headers-4.4.0-209': '4.4.0-209.241', 'linux-headers-4.4.0-209-generic': '4.4.0-209.241', 'linux-modules-4.4.0-209-generic': '4.4.0-209.241'} removed: {'linux-headers-4.4.0-208': '4.4.0-208.240', 'linux-headers-4.4.0-208-generic': '4.4.0-208.240', 'linux-modules-4.4.0-208-generic': '4.4.0-208.240'} changed: ['cloud-init', 'grub-legacy-ec2', 'libhogweed4:amd64', 'libnettle6:amd64', 'libpam-systemd:amd64', 'libseccomp2:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.4.0-209-generic', 'linux-image-virtual', 'linux-virtual', 'systemd', 'systemd-sysv', 'udev'] new snaps: {} removed snaps: {} changed snaps: [] ==== cloud-init: 20.4.1-0ubuntu1~16.04.1 => 21.1-19-gbad84ad4-0ubuntu1~16.04.1 ==== ==== cloud-init grub-legacy-ec2 * d/cloud-init.postinst: Change output log permissions on upgrade (LP: #1918303) * d/cloud-init.manpages: include upstream manpages in package (LP: #1908548) * drop the following cherry-picks now included: + cpick-4f62ae8d-Fix-regression-with-handling-of-IMDS-ssh-keys-760 * refresh patches: + debian/patches/azure-apply-network-config-false.patch + debian/patches/openstack-no-network-config.patch * New upstream snapshot. (LP: #1920272) - .travis.yml: generate an SSH key before running tests (#848) - write passwords only to serial console, lock down cloud-init-output.log (#847) - Fix apt default integration test (#845) - integration_tests: bump pycloudlib dependency (#846) - commit f35181fa970453ba6c7c14575b12185533391b97 [eb3095] - archlinux: Fix broken locale logic (#841) [Kristian Klausen] - Integration test for #783 (#832) - integration_tests: mount more paths IN_PLACE (#838) - Fix requiring device-number on EC2 derivatives (#836) - Remove the vi comment from the part-handler example (#835) - net: exclude OVS internal interfaces in get_interfaces (#829) - tox.ini: pass OS_* environment variables to integration tests (#830) - integration_tests: add OpenStack as a platform (#804) - Add flexibility to IMDS api-version (#793) [Thomas Stringer] - Fix the TestApt tests using apt-key on Xenial and Hirsute (#823) [Paride Legovini] - doc: remove duplicate "it" from nocloud.rst (#825) [V.I. Wood] - archlinux: Use hostnamectl to set the transient hostname (#797) [Kristian Klausen] - cc_keys_to_console.py: Add documentation for recently added config key (#824) [dermotbradley] - Update cc_set_hostname documentation (#818) [Toshi Aoyama] - Release 21.1 (#820) - Azure: Support for VMs without ephemeral resource disks. (#800) [Johnson Shi] - cc_keys_to_console: add option to disable key emission (#811) [Michael Hudson-Doyle] - integration_tests: introduce lxd_use_exec mark (#802) - azure: case-insensitive UUID to avoid new IID during kernel upgrade (#798) - stale.yml: don't ask submitters to reopen PRs (#816) - integration_tests: fix use of SSH agent within tox (#815) - integration_tests: add UPGRADE CloudInitSource (#812) - integration_tests: use unique MAC addresses for tests (#813) - Update .gitignore (#814) - Port apt cloud_tests to integration tests (#808) - integration_tests: fix test_gh626 on LXD VMs (#809) - Fix attempting to decode binary data in test_seed_random_data test (#806) - Remove wait argument from tests with session_cloud calls (#805) - Datasource for UpCloud (#743) [Antti Myyr] - test_gh668: fix failure on LXD VMs (#801) - openstack: read the dynamic metadata group vendor_data2.json (#777) [Andrew Bogott] - includedir in suoders can be prefixed by "arroba" (#783) [Jordi Massaguer Pla] - Merge upstream/20.4.1 into master - [VMware] change default max wait time to 15s (#774) [xiaofengw-vmware] - Revert integration test associated with reverted #586 (#784) - Add jordimassaguerpla as contributor (#787) [Jordi Massaguer Pla] - Add Rick Harding to CLA signers (#792) [Rick Harding] - HACKING.rst: add clarifying note to LP CLA process section (#789) - Stop linting cloud_tests (#791) - cloud-tests: update cryptography requirement (#790) [Joshua Powers] - Remove 'remove-raise-on-failure' calls from integration_tests (#788) - Use more cloud defaults in integration tests (#757) - Adding self to cla signers (#776) [Andrew Bogott] - doc: avoid two warnings (#781) [Dan Kenigsberg] - Use proper spelling for Red Hat (#778) [Dan Kenigsberg] - Add antonyc to .github-cla-signers (#747) [Anton Chaporgin] - integration_tests: log image serial if available (#772) - Revert "ssh_util: handle non-default AuthorizedKeysFile config (#586)" (#775) - [VMware] Support cloudinit raw data feature (#691) [xiaofengw-vmware] - net: Fix static routes to host in eni renderer (#668) [Pavel Abalikhin] - .travis.yml: don't run cloud_tests in CI (#756) - test_upgrade: add some missing commas (#769) - cc_seed_random: update documentation and fix integration test (#771) - Fix test gh-632 test to only run on NoCloud (#770) - archlinux: fix package upgrade command handling (#768) [Bao Trinh] - integration_tests: add integration test for LP:1910835 (#761) - Fix regression with handling of IMDS ssh keys (#760) [Thomas Stringer] - integration_tests: log cloud-init version in SUT (#758) - Add ajmyyra as contributor (#742) [Antti Myyr] - net_convert: add some missing help text (#755) - Missing IPV6_AUTOCONF=no to render sysconfig dhcp6 stateful on RHEL (#753) [Eduardo Otubo] - doc: document missing IPv6 subnet types (#744) [Antti Myyr] - Add example configuration for datasource `AliYun` (#751) [Xiaoyu Zhong] - integration_tests: add SSH key selection settings (#754) - fix a typo in man page cloud-init.1 (#752) [Amy Chen] - network-config-format-v2.rst: add Netplan Passthrough section (#750) - stale: re-enable post holidays (#749) - integration_tests: port ca_certs tests from cloud_tests (#732) - Azure: Add telemetry for poll IMDS (#741) [Johnson Shi] - doc: move testing section from HACKING to its own doc (#739) - No longer allow integration test failures on travis (#738) - stale: fix error in definition (#740) - integration_tests: set log-cli-level to INFO by default (#737) - PULL_REQUEST_TEMPLATE.md: use backticks around commit message (#736) - stale: disable check for holiday break (#735) - integration_tests: log the path we collect logs into (#733) - .travis.yml: add (most) supported Python versions to CI (#734) - integration_tests: fix IN_PLACE CLOUD_INIT_SOURCE (#731) - cc_ca_certs: add RHEL support (#633) [cawamata] - Azure: only generate config for NICs with addresses (#709) [Thomas Stringer] - doc: fix CloudStack configuration example (#707) [Olivier Lemasle] - integration_tests: restrict test_lxd_bridge appropriately (#730) - Add integration tests for CLI functionality (#729) - Integration test for gh-626 (#728) - Some test_upgrade fixes (#726) - Ensure overriding test vars with env vars works for booleans (#727) - integration_tests: port lxd_bridge test from cloud_tests (#718) - Integration test for gh-632. (#725) - Integration test for gh-671 (#724) - integration-requirements.txt: bump pycloudlib commit (#723) - Drop unnecessary shebang from cmd/main.py (#722) [Eduardo Otubo] - Integration test for LP:1813396 and #669 (#719) - integration_tests: include timestamp in log output (#720) - integration_tests: add test for LP:1898997 (#713) - Add integration test for power_state_change module (#717) - Update documentation for network-config-format-v2 (#701) [ggiesen] - sandbox CA Cert tests to not require ca-certificates (#715) [Eduardo Otubo] - Add upgrade integration test (#693) - Integration test for 570 (#712) - Add ability to keep snapshotted images in integration tests (#711) - Integration test for pull #586 (#706) - integration_tests: introduce skipping of tests by OS (#702) - integration_tests: introduce IntegrationInstance.restart (#708) - Add lxd-vm to list of valid integration test platforms (#705) - Adding BOOTPROTO = dhcp to render sysconfig dhcp6 stateful on RHEL (#685) [Eduardo Otubo] - Delete image snapshots created for integration tests (#682) - Parametrize ssh_keys_provided integration test (#700) [lucasmoura] - Drop use_sudo attribute on IntegrationInstance (#694) [lucasmoura] - cc_apt_configure: add riscv64 as a ports arch (#687) [Dimitri John Ledkov] - cla: add xnox (#692) [Dimitri John Ledkov] - Collect logs from integration test runs (#675) ==== libseccomp: 2.4.3-1ubuntu3.16.04.3 => 2.5.1-1ubuntu1~16.04.1 ==== ==== libseccomp2:amd64 * Updated to new upstream 2.5.1 version for updated syscalls support (LP: #1891810) - Removed the following patches that are now included in the new version: + d/p/fix-aarch64-syscalls.patch + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch + d/p/db-add-shadow-transactions.patch - Deleted the patch to add a local copy of architecture specific header files from linux-libc-dev/focal as this is not needed anymore + d/p/add-5.4-local-syscall-headers.patch - debian/control: Added gperf to Build-Depends as this is now required by upstream - debian/libseccomp2.symbols: Added new symbols * Add system call headers for powerpc required for backport to xenial - d/p/add-5.8-powerpc-syscall-headers.patch ==== linux-meta: 4.4.0.208.214 => 4.4.0.209.215 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.4.0-209 ==== linux-signed: 4.4.0-208.240 => 4.4.0-209.241 ==== ==== linux-image-4.4.0-209-generic * Master version: 4.4.0-209.241 ==== nettle: 3.2-1ubuntu0.16.04.1 => 3.2-1ubuntu0.16.04.2 ==== ==== libhogweed4:amd64 libnettle6:amd64 * SECURITY UPDATE: Out of Bound memory access in signature verification - debian/patches/CVE-2021-20305-1.patch: new functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical in curve25519-eh-to-x.c, curve448-eh-to-x.c, ecc-eh-to-a.c, ecc-internal.h, ecc-j-to-a.c, ecc-mod-arith.c, ecc-mul-m.c. - debian/patches/CVE-2021-20305-2.patch: use ecc_mod_mul_canonical for point comparison in eddsa-verify.c. - debian/patches/CVE-2021-20305-3.patch: fix bug in ecc_ecdsa_verify in ecc-ecdsa-verify.c, testsuite/ecdsa-sign-test.c. - debian/patches/CVE-2021-20305-4.patch: ensure ecdsa_sign output is canonically reduced in ecc-ecdsa-sign.c. - debian/patches/CVE-2021-20305-6.patch: similar fix for eddsa in eddsa-hash.c. - debian/libhogweed4.symbols: added new symbols. - CVE-2021-20305 ==== systemd: 229-4ubuntu21.29 => 229-4ubuntu21.31 ==== ==== libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv udev * d/p/lp1878969-time-epoch-use-source-date-epoch.patch: - Fix configure.ac change to set time epoch (LP: #1878969) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=30bf11d2759499ec94d3b82eaf22f55583f4758b * d/p/lp1878969-time-epoch-use-source-date-epoch.patch: - Set time epoch using $SOURCE_DATE_EPOCH (LP: #1878969) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9e1ad364d94b3619947c541b72aa506010ee3f38 * d/p/lp1913763-udev-rules-add-rule-to-create-dev-ptp_hyperv.patch: - Create symlink for hyperv-provided ptp device (LP: #1913763) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ae39f8878ca5dabb4e9d8ba5ebdb6ed003993b9f -- [1] http://cloud-images.ubuntu.com/releases/xenial/release-20210416/ [2] http://cloud-images.ubuntu.com/releases/xenial/release-20210413/