A new release of the Ubuntu Cloud Images for stable Ubuntu release 22.04 (Jammy Jellyfish) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apport: 2.20.11-0ubuntu82 => 2.20.11-0ubuntu82.1 * bind9: 1:9.18.1-1ubuntu1 => 1:9.18.1-1ubuntu1.1 * curl: 7.81.0-1ubuntu1.1 => 7.81.0-1ubuntu1.2 * dpkg: 1.21.1ubuntu2 => 1.21.1ubuntu2.1 * json-c: 0.15-2build4 => 0.15-3~ubuntu1.22.04.1 * libusb-1.0: 2:1.0.25-1ubuntu1 => 2:1.0.25-1ubuntu2 * libxml2: 2.9.13+dfsg-1build1 => 2.9.13+dfsg-1ubuntu0.1 * linux-meta: 5.15.0.27.30 => 5.15.0.33.36 * linux-signed: 5.15.0-27.28 => 5.15.0-33.34 * logrotate: 3.19.0-1ubuntu1 => 3.19.0-1ubuntu1.1 * needrestart: 3.5-5ubuntu2 => 3.5-5ubuntu2.1 * openldap: 2.5.11+dfsg-1~exp1ubuntu3 => 2.5.11+dfsg-1~exp1ubuntu3.1 * openssl: 3.0.2-0ubuntu1.1 => 3.0.2-0ubuntu1.2 * pcre3: 2:8.39-13build5 => 2:8.39-13ubuntu0.22.04.1 * software-properties: 0.99.22 => 0.99.22.1 The following is a complete changelog for this image. new: {'linux-modules-5.15.0-33-generic': '5.15.0-33.34', 'linux-headers-5.15.0-33': '5.15.0-33.34', 'linux-headers-5.15.0-33-generic': '5.15.0-33.34'} removed: {'linux-headers-5.15.0-27-generic': '5.15.0-27.28', 'linux-headers-5.15.0-27': '5.15.0-27.28', 'linux-modules-5.15.0-27-generic': '5.15.0-27.28'} changed: ['apport', 'bind9-dnsutils', 'bind9-host', 'bind9-libs:amd64', 'curl', 'dpkg', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libjson-c5:amd64', 'libldap-2.5-0:amd64', 'libldap-common', 'libpcre3:amd64', 'libssl3:amd64', 'libusb-1.0-0:amd64', 'libxml2:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.15.0-33-generic', 'linux-image-virtual', 'linux-virtual', 'logrotate', 'needrestart', 'openssl', 'python3-apport', 'python3-problem-report', 'python3-software-properties', 'software-properties-common'] new snaps: {} removed snaps: {} changed snaps: ['core20', 'snapd'] ==== apport: 2.20.11-0ubuntu82 => 2.20.11-0ubuntu82.1 ==== ==== apport python3-apport python3-problem-report * SECURITY UPDATE: Fix multiple security issues - data/apport: Fix too many arguments for error_log(). - data/apport: Use proper argument variable name executable_path. - etc/init.d/apport: Set core_pipe_limit to a non-zero value to make sure the kernel waits for apport to finish before removing the /proc information. - apport/fileutils.py, data/apport: Search for executable name if one wan't provided such as when being called in a container. - data/apport: Limit memory and duration of gdbus call. (CVE-2022-28654, CVE-2022-28656) - data/apport, apport/fileutils.py, test/test_fileutils.py: Validate D-Bus socket location. (CVE-2022-28655) - apport/fileutils.py, test/test_fileutils.py: Turn off interpolation in get_config() to prevent DoS attacks. (CVE-2022-28652) - Refactor duplicate code into search_map() function. - Switch from chroot to container to validating socket owner. (CVE-2022-1242, CVE-2022-28657) - data/apport: Clarify error message. - apport/fileutils.py: Fix typo in comment. - apport/fileutils.py: Do not call str in loop. - data/apport, etc/init.d/apport: Switch to using non-positional arguments. Get real UID and GID from the kernel and make sure they match the process. Also fix executable name space handling in argument parsing. (CVE-2022-28658, CVE-2021-3899) ==== bind9: 1:9.18.1-1ubuntu1 => 1:9.18.1-1ubuntu1.1 ==== ==== bind9-dnsutils bind9-host bind9-libs:amd64 * SECURITY UPDATE: Destroying a TLS session early causes assertion failure - debian/patches/CVE-2022-1183.patch: fix destroying logic in lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/tlsstream.c. - CVE-2022-1183 ==== curl: 7.81.0-1ubuntu1.1 => 7.81.0-1ubuntu1.2 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: percent-encoded path separator in URL host - debian/patches/CVE-2022-27780.patch: reject percent-decoding host name into separator bytes in lib/urlapi.c. - CVE-2022-27780 * SECURITY UPDATE: CERTINFO never-ending busy-loop - debian/patches/CVE-2022-27781.patch: return error if seemingly stuck in a cert loop in lib/vtls/nss.c. - CVE-2022-27781 * SECURITY UPDATE: TLS and SSH connection too eager reuse - debian/patches/CVE-2022-27782.patch: check more TLS details for connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h, lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c, lib/vssh/ssh.h. - CVE-2022-27782 ==== dpkg: 1.21.1ubuntu2 => 1.21.1ubuntu2.1 ==== ==== dpkg * SECURITY UPDATE: Directory traversal issue in dpkg-source - scripts/Dpkg/Source/Archive.pm, scripts/t/Dpkg_Source_Archive.t: Prevent directory traversal for in-place extracts. - CVE-2022-1664 ==== json-c: 0.15-2build4 => 0.15-3~ubuntu1.22.04.1 ==== ==== libjson-c5:amd64 * SRU to Ubuntu 22.04.1 (LP: #1973270) * Mark dev package as M-A: same (Closes: #1009805) - thanks Tomeu Vizoso for the hint. [Debian Janitor] * Set upstream metadata fields: Bug-Database, Repository, Repository-Browse. [Nicolas Mora] * d/patches make build reproductible (Closes: #966657) * d/control: Update standards version to 4.5.1 (no change) * New upstream release (Closes: #966366) * Update symbols file with versioned references (Closes: #963932) * Disable patch 608.patch, now applied upstream * d/rules: generate doxgen files with new config file doc/Doxyfile * debian/patches/0002-doxygen.patch - Set doxygen option FULL_PATH_NAMES to NO [Gianfranco Costamagna] * Fix documentation generation (Closes: #962013) * debian/patches/608.patch: - Add patch to fix CVE-2020-12762 (Closes: #960326) [Nicolas Mora] * New upstream release 0.14. * Upload to unstable * New maintainer (Closes: #844452) * d/control: Rules-Requires-Root: no * Add d/gbp.conf * debian/patches/0002-doxygen.patch - Remove remote images in doxygen generated files * Update symbols file * Add autpkgtests * Clean lintian-overrides * debian/patches/0003-config-h.patch - Remove macro PACKAGE_NAME * QA upload * Fix documentation generation (Closes: #962013) [ Leonidas S. Barbosa ] * SECURITY UPDATE: Integer overflows - debian/patches/CVE-2020-12762-*.patch: fix a series of integer overflows adding checks in linkhash.c, printbuf.c, test4.c test4.expected. - CVE-2020-12762 [ Gianfranco Costamagna ] * QA upload * Import Ubuntu patch (Closes: #960326) * QA upload. * Rebuild for Ubuntu 20.04 LTS. * debian/control: Bump Standards-Version to 4.5.0. [ Debian Janitor ] * Set upstream metadata fields: Bug-Submit, Repository. * QA upload. * debian/libjson-c4-dev.links: Fix broken so symlink and make everything unified under /usr/lib. (Closes: #941059) * QA upload. * debian/libjson-c4.install, debian/libjson-c4-udeb.install: Install library files into /usr/lib/ instead of /lib/ to ease future usrmerge transition. * debian/rules: Use /usr/share/dpkg/architecture.mk instead of manually querying DEB_HOST_MULTIARCH. [ Gergely Nagy ] * Do not enable valgrind, fails on mips* and is unavailable on most archs Closes: #686076 * QA upload [ Ondej Nov ] * d/copyright: Use https protocol in Format field [ Boyuan Yang ] * debian/dch.conf: Use new-style [dch] section instead of [git-dch]. * debian/control: Mark libjson-c-doc as M-A: foreign. [ Gianfranco Costamagna ] * Upload to unstable * Add doxygen to build-deps * Recreate doxygen documentation during build - closes: #860871, #722690 - documentation was already there, so the bugs are fixed since some time but recreate the documentation with the doxygen in Debian is preferred. * Close old bugs (Closes: #687269, Closes: #780078) * Move to compat level 12 * bump std-version to 4.4.0, no changes required * Recreate doxygen documentation * Drop old dh_strip migration override * Minor fix to copyright file, because lintian can't find the files * Drop patch and hack rules file to do the same, now html documentation is regenerated during build * Enable valgrind tests, they don't fail anymore (Closes: #686076) * QA upload. * Update debian/copyright Thanks to Gianfranco Costamagna for the catch. * QA upload. * Orphan the package (Closes: 844452) * New upstream version (2018-03-05) - Remove obsolete patches - Bump library SONAME & update symbols file * debian/copyright - Use the more precise Expat License tag, rather than MIT - Drop files that were removed * debian/control: Declare compliance with policy v4.1.4 - Use secure protocol for Vcs-Git URI - Replace Priority: extra with optional * Switch to debhelper compat level 11 - Drop autoreconf and autotools-dev dh tools - Drop dependency on dh-autoreconf * Update debian/watch * debian/rules: Enable build-time hardening * Repackage to remove a compiled version of jquery.js * Lintian overrides + Relocate to debian/source/lintian-overrides + Add a Lintian override for doc/html/menu.js. It is the original source despite containing an oversize line. + Remove unused Lintian overrides * Patch-out remote images in documentation * Non-maintainer upload. * Add libjson-c3-udeb package for debian installer. Required as dependency for libcryptsetup12-udeb. (Closes: #880526) * Non-maintainer upload. * Fix build failure with GCC 7 (Hilko Bengen). Closes: #853462. * Non-maintainer upload. * debian/control: Fix Vcs-Browser URL * debian/libjson-c-dev.links: Fix library symlinks to not collide between /lib/ and /usr/lib/ (Closes: #843145, LP: #1629552) * Imported Upstream version 0.12.1 * Rebase patches on top of 0.12.1 release * Workaround the unused variables in tests * Fix the .so links in the -dev package (Closes: #821768) * Upload to unstable * wrap-and-sort -a debian/ directory [ Andreas Beckmann ] * libjson-c-dev: Ship /usr/lib//libjson-c.so.2 symlink that would otherwise become a dangling link (initially created by ldconfig) after package removal. (Closes: #792177) [ Ondej Sur ] * New upstream version 0.12 + [CVE-2013-6371]: hash collision denial of service + [CVE-2013-6370]: buffer overflow if size_t is larger than int * Remove all upstream-merged patches * Add patch to fix variable set but not used [-Werror=unused-but-set-variable] * Update libjson-c2 symbols file + The new upstream release misses two symbols, upload to experimental first if it poses any real problem or not. * Migrate to automatic dbgsym * Add autotools-dev dh addon * Bump standards to 3.9.7 (no change) * Bump SOVERSION as interfaces has been removed from 0.12 release * Library transition from libjson-c2 to libjson-c3 as interfaces has been removed * Add upstream patch to fix two security vulnerabilities (Closes: #744008) + [CVE-2013-6371]: hash collision denial of service + [CVE-2013-6370]: buffer overflow if size_t is larger than int * Repository is not at anonscam.debian.org :) * Merge git changes from 0.11 and not-yet-merged pull request #94 needed for new php5-json * Fix compat symlinks in libjson0 and libjson0-dev * Imported Upstream version 0.11 * Transition from libjson to libjson-c reflecting upstream library name change * Add very thin symlink-based compatibility layer from libjson.so.0 to libjson-c.so.2 * Remove debian/patches/fix-format-string-in-test.patch; merged upstream * Move documentation to SONAME agnostic package libjson-c-doc * Rename dbg symbols package to libjson-c2-dbg * Update watch file (Closes: #693518) * Update homepage location (Closes: #704918) * Medium-urgency upload for RC bugfix. * Non-maintainer upload, with approval of the maintainer. * Install libjson to /lib instead of /usr/lib, since upstart 1.6 needs it. Closes: #695566. * Non-maintainer upload. * Include the missing json_object_iterator.h header in libjson0-dev. (Closes: #685714) * New upstream release (Closes: #684058) * Change watch file to target on github json-c repository. * Add patch fixing compilation warning in tests/test_printbuf.c. * Update to standards-version 3.9.3.0. * Update copyright information. * Non-maintainer upload * Build for multiarch, closes: #637621 (Patch from Steve Langasek) * Initial release (Closes: #557788) ==== libusb-1.0: 2:1.0.25-1ubuntu1 => 2:1.0.25-1ubuntu2 ==== ==== libusb-1.0-0:amd64 * debian/patches/git_backward_compat.patch: revert a behaviour change in libusb 1.0.25 which triggers issues when the API is misused, fix ink segfaulting (lp: #1973091) ==== libxml2: 2.9.13+dfsg-1build1 => 2.9.13+dfsg-1ubuntu0.1 ==== ==== libxml2:amd64 * SECURITY UPDATE: Integer overflows - debian/patches/CVE-2022-29824.patch: Fix integer overflows in xmlBuf and xmlBuffer in tree.c, buf.c. - CVE-2022-29824 ==== linux-meta: 5.15.0.27.30 => 5.15.0.33.36 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.15.0-33 * Bump ABI 5.15.0-32 * Bump ABI 5.15.0-31 * Bump ABI 5.15.0-30 * Bump ABI 5.15.0-29 * Bump ABI 5.15.0-28 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.15.0-27.28 => 5.15.0-33.34 ==== ==== linux-image-5.15.0-33-generic * Master version: 5.15.0-33.34 * Master version: 5.15.0-32.33 * Master version: 5.15.0-31.32 * Master version: 5.15.0-30.31 * Master version: 5.15.0-29.30 * Master version: 5.15.0-28.29 ==== logrotate: 3.19.0-1ubuntu1 => 3.19.0-1ubuntu1.1 ==== ==== logrotate * SECURITY UPDATE: DoS via insecure permissions on state file - debian/patches/ubuntu/CVE-2022-1348-1.patch: skip locking if state file is world-readable in logrotate.c, logrotate.spec.in, test/Makefile.am, test/test-0087.sh, test/test-0092.sh, test/test-config.92.in. - debian/patches/ubuntu/CVE-2022-1348-2.patch: drop permissions on state file when ACLs are enabled in logrotate.c, test/test-0048.sh. - CVE-2022-1348 ==== needrestart: 3.5-5ubuntu2 => 3.5-5ubuntu2.1 ==== ==== needrestart * SECURITY UPDATE: arbitrary code exec via unanchored regexes - debian/patches/CVE-2022-30688.patch: improve regexes in perl/lib/NeedRestart/Interp/Perl.pm, perl/lib/NeedRestart/Interp/Python.pm, perl/lib/NeedRestart/Interp/Ruby.pm. - CVE-2022-30688 ==== openldap: 2.5.11+dfsg-1~exp1ubuntu3 => 2.5.11+dfsg-1~exp1ubuntu3.1 ==== ==== libldap-2.5-0:amd64 libldap-common * SECURITY UPDATE: SQL injection in experimental back-sql backend - debian/patches/CVE-2022-29155.patch: escape filter values in servers/slapd/back-sql/search.c. - CVE-2022-29155 ==== openssl: 3.0.2-0ubuntu1.1 => 3.0.2-0ubuntu1.2 ==== ==== libssl3:amd64 openssl * d/p/lp1968997/*: cherry-pick a patchset to fix issues with the Turkish locale (LP: #1968997) ==== pcre3: 2:8.39-13build5 => 2:8.39-13ubuntu0.22.04.1 ==== ==== libpcre3:amd64 * SECURITY UPDATE: buffer over-read in JIT - debian/patches/CVE-2019-20838.patch: check if type is not extended Unicode parameter or Unicode new line in pcre_jit_compile.c. - CVE-2019-20838 ==== software-properties: 0.99.22 => 0.99.22.1 ==== ==== python3-software-properties software-properties-common * cloudarchive: Enable support for the Zed Ubuntu Cloud Archive on 22.04 (LP: #1970244). -- [1] http://cloud-images.ubuntu.com/releases/jammy/release-20220531/ [2] http://cloud-images.ubuntu.com/releases/jammy/release-20220506/