A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apport: 2.20.11-0ubuntu27.17 => 2.20.11-0ubuntu27.18 * - bpo-23544: Disable Debug=>Stack Viewer when user code is running or * grub2: 2.04-1ubuntu26.11 => 2.04-1ubuntu26.12 * grub2-signed: 1.167+2.04-1ubuntu44 => 1.167.2+2.04-1ubuntu44.2 * grub2-unsigned: 2.04-1ubuntu44 => 2.04-1ubuntu44.2 * initramfs-tools: 0.136ubuntu6.4 => 0.136ubuntu6.5 * isc-dhcp: 4.4.1-2.1ubuntu5.20.04.1 => 4.4.1-2.1ubuntu5.20.04.2 * libx11: 2:1.6.9-2ubuntu1.1 => 2:1.6.9-2ubuntu1.2 * linux-meta: 5.4.0.73.76 => 5.4.0.74.77 * linux-signed: 5.4.0-73.82 => 5.4.0-74.83 * lz4: 1.9.2-2 => 1.9.2-2ubuntu0.20.04.1 * netplan.io: 0.101-0ubuntu3~20.04.2 => 0.102-0ubuntu1~20.04.2 * openssl: 1.1.1f-1ubuntu2.3 => 1.1.1f-1ubuntu2.4 * pam: 1.3.1-5ubuntu4.1 => 1.3.1-5ubuntu4.2 * policykit-1: 0.105-26ubuntu1 => 0.105-26ubuntu1.1 * python3.8: 3.8.5-1~20.04.2 => 3.8.5-1~20.04.3 * python3-stdlib-extensions: 3.8.5-1~20.04.1 => 3.8.10-0ubuntu1~20.04 * python-apt: 2.0.0ubuntu0.20.04.4 => 2.0.0ubuntu0.20.04.5 * software-properties: 0.98.9.4 => 0.98.9.5 * sosreport: 4.1-1ubuntu0.20.04.1 => 4.1-1ubuntu0.20.04.2 * ubuntu-advantage-tools: 20.3 => 27.0.2~20.04.1 * ubuntu-release-upgrader: 1:20.04.32 => 1:20.04.33 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-74-generic': '5.4.0-74.83', 'linux-modules-5.4.0-74-generic': '5.4.0-74.83', 'distro-info': '0.23ubuntu1', 'linux-headers-5.4.0-74': '5.4.0-74.83'} removed: {'linux-headers-5.4.0-73': '5.4.0-73.82', 'linux-headers-5.4.0-73-generic': '5.4.0-73.82', 'linux-modules-5.4.0-73-generic': '5.4.0-73.82'} changed: ['apport', 'grub-common', 'grub-efi-amd64-bin', 'grub-efi-amd64-signed', 'grub-pc', 'grub-pc-bin', 'grub2-common', 'initramfs-tools', 'initramfs-tools-bin', 'initramfs-tools-core', 'isc-dhcp-client', 'isc-dhcp-common', 'liblz4-1:amd64', 'libnetplan0:amd64', 'libpam-modules-bin', 'libpam-modules:amd64', 'libpam-runtime', 'libpam0g:amd64', 'libpolkit-agent-1-0:amd64', 'libpolkit-gobject-1-0:amd64', 'libpython3.8-minimal:amd64', 'libpython3.8-stdlib:amd64', 'libpython3.8:amd64', 'libssl1.1:amd64', 'libx11-6:amd64', 'libx11-data', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-74-generic', 'linux-image-virtual', 'linux-virtual', 'lz4', 'netplan.io', 'openssl', 'policykit-1', 'python-apt-common', 'python3-apport', 'python3-apt', 'python3-distupgrade', 'python3-distutils', 'python3-gdbm:amd64', 'python3-lib2to3', 'python3-problem-report', 'python3-software-properties', 'python3.8', 'python3.8-minimal', 'software-properties-common', 'sosreport', 'ubuntu-advantage-tools', 'ubuntu-release-upgrader-core'] new snaps: {} removed snaps: {} changed snaps: ['core18', 'snapd'] ==== apport: 2.20.11-0ubuntu27.17 => 2.20.11-0ubuntu27.18 ==== ==== apport python3-apport python3-problem-report * SECURITY UPDATE: Multiple arbitrary file reads (LP: #1917904) - apport/hookutils.py: don't follow symlinks and make sure the file isn't a FIFO in read_file(). - test/test_hookutils.py: added symlink tests. - CVE-2021-32547, CVE-2021-32548, CVE-2021-32549, CVE-2021-32550, CVE-2021-32551, CVE-2021-32552, CVE-2021-32553, CVE-2021-32554, CVE-2021-32555 * SECURITY UPDATE: info disclosure via modified config files spoofing (LP: #1917904) - backends/packaging-apt-dpkg.py: properly terminate arguments in get_modified_conffiles. - CVE-2021-32556 * SECURITY UPDATE: arbitrary file write (LP: #1917904) - data/whoopsie-upload-all: don't follow symlinks and make sure the file isn't a FIFO in process_report(). - CVE-2021-32557 ==== grub2: 2.04-1ubuntu26.11 => 2.04-1ubuntu26.12 ==== ==== grub-common grub-pc grub-pc-bin grub2-common * Bump the version number in the replaces for grub-efi-* to account for newer packages in bionic from grub2-unsigned shipping the kernel hook conffiles. LP: #1928674. ==== grub2-signed: 1.167+2.04-1ubuntu44 => 1.167.2+2.04-1ubuntu44.2 ==== ==== grub-efi-amd64-signed ==== grub2-unsigned: 2.04-1ubuntu44 => 2.04-1ubuntu44.2 ==== ==== grub-efi-amd64-bin * No-change rebuild to ensure clean upgrade from bionic. LP: #1928674. ==== initramfs-tools: 0.136ubuntu6.4 => 0.136ubuntu6.5 ==== ==== initramfs-tools initramfs-tools-bin initramfs-tools-core * scripts/local-premount/resume: - Use readlink -f to correctly handle non-symlink $resume (LP: #1876570) * hook-functions: - when MODULES=list there will be no 'kernel' dir, so don't try to find anything there, as it will log an error (LP: #1927779) * hooks/fsck: - don't check PASSNO, always include fsck (LP: #1917780) ==== isc-dhcp: 4.4.1-2.1ubuntu5.20.04.1 => 4.4.1-2.1ubuntu5.20.04.2 ==== ==== isc-dhcp-client isc-dhcp-common * SECURITY UPDATE: DoS via incorrect option information parsing - debian/patches/CVE-2021-25217.patch: fix parsing in common/parse.c. - CVE-2021-25217 ==== libx11: 2:1.6.9-2ubuntu1.1 => 2:1.6.9-2ubuntu1.2 ==== ==== libx11-6:amd64 libx11-data * SECURITY UPDATE: extra X protocol requests via unchecked string lengths - debian/patches/CVE-2021-31535.patch: reject strings longer than USHRT_MAX before sending them on the wire in src/Font.c, src/FontInfo.c, src/FontNames.c, src/GetColor.c, src/LoadFont.c, src/LookupCol.c, src/ParseCol.c, src/QuExt.c, src/SetFPath.c, src/SetHints.c, src/StNColor.c, src/StName.c . - CVE-2021-31535 ==== linux-meta: 5.4.0.73.76 => 5.4.0.74.77 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-74 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.4.0-73.82 => 5.4.0-74.83 ==== ==== linux-image-5.4.0-74-generic * Master version: 5.4.0-74.83 ==== lz4: 1.9.2-2 => 1.9.2-2ubuntu0.20.04.1 ==== ==== liblz4-1:amd64 lz4 * SECURITY UPDATE: memory corruption due to an integer overflow bug - debian/patches/CVE-2021-3520.patch: check outputSize in lib/lz4.c. - CVE-2021-3520 ==== netplan.io: 0.101-0ubuntu3~20.04.2 => 0.102-0ubuntu1~20.04.2 ==== ==== libnetplan0:amd64 netplan.io * Backport netplan.io 0.102-0ubuntu1 to 20.04 (LP: #1919453) - Includes NetworkManager YAML backend API - Includes 'congestion-window' & 'advertised-receive-window' keys - Includes 'netplan set' improvements * Keep riscv64 build-time tests disabled * Add d/p/0002-tests-tunnels-improve-flaky-wireguard-test-with-wait.patch * Fix regression (LP: #1922898), by avoiding to break the ABI This reverts the "Added ttl option for tunnels" feature * New upstream release: 0.102 (LP: #1919453) - New API for NetworkManager YAML backend - Added congestion-window & advertised-receive-window options for routes - Added ttl option for tunnels (LP: #1846783) - Improved netplan set CLI to override existing files - Moved upstream repository to https://github.com/canonical/netplan/ - Documentation improvements - Improved Github Actions CI and CodeQL integration - Minor cleanup/typos/test improvements Bug fixes: - systemd v247 compatibility (for changing MAC address) - OVS 2.15 compatibility (wording changes) - Allow networkmanager: backend options for modem devices - Prevent duplicate ARPIPTargets in NetDev files (LP: #1915837) * Drop all distro patches, which have been integrated upstream * Update symbols file * Enable pristine-tar in gbp * Allow running more tests in a container * d/changelog: Restore history, which was lost during previous merge * d/watch, d/copyright: Update Github URL * d/tests/control: - Mark ovs & cloud-init tests non-flaky - Mark tests with the "breaks-testbed" restriction * Fix DNS issues during tests on ppc64el (LP: #1916888): - d/p/0007-tests-keep-management-network-up-at-all-times-during.patch - d/p/0008-tests-integration-cleanup-OVS-WPA-files.patch * No change rebuild with fixed ownership. * Merge with Debian. Remaining changes: - Keep running dh_auto_test - Keep openvswitch dependency for all arches - 0003-tests-adopt-to-wording-changes-as-of-OVS-2.15.patch - 0004-tests-tunnels-improve-test-reliability.patch - 0005-tests-dbus-improve-test-stability-of-timeouts.patch - 0006-tests-integration-adopt-for-racy-systemd-MAC-assignm.patch * Build-depend on ovs on amd64 only due to a bug in its postinst. See #979366 for details. * Drop the custom build profile, nocheck is enough. * Mark the package linux-any. * Skip openvswitch-switch dependency on m68k and ppc64. * Reindent debian/control. * Add build profiles. * Add cloud tests but mark them as flaky and skip-not-installable for now. [ Andrej Shadura ] * New upstream release. * Merge changes from Ubuntu. * Let tests fail. * Remove the hack to fix build with GCC 10 (actually closes: #957603). [ Lukas Mrdian ] * d/control: fix lintian warning about trailing whitespace * d/p/0001-Fix-changing-of-macaddress-with-systemd-v247-178.patch: Fix MAC address changes with systemd v247 by using a new approach inside systemd's .network file. It also works with older version of systemd. * Add d/p/0002-parse-fix-networkmanager-backend-options-for-modem-c.patch: Allows parsing of networkmanager: backend handlers for modem devices * Update symbols file [ Michael Biebl ] * Stop using deprecated systemd-resolve tool (Closes: #979266). * Add d/p/0004-tests-tunnels-improve-test-reliability.patch and d/p/0005-tests-dbus-improve-test-stability-of-timeouts.patch for improved compile-time test stability * Add d/p/0006-tests-integration-adopt-for-racy-systemd-MAC-assignm.patch for compatibility with new systemd ==== openssl: 1.1.1f-1ubuntu2.3 => 1.1.1f-1ubuntu2.4 ==== ==== libssl1.1:amd64 openssl * Allow x509 certificates which set basicConstraints=CA:FALSE,pathlen:0 to validate, as it is common on self-signed leaf certificates. (LP: #1926254) - d/p/lp-1926254-1-Allow-certificates-with-Basic-Constraints-CA-fa.patch - d/p/lp-1926254-2-Set-X509_V_ERR_INVALID_EXTENSION-error-for-inva.patch - d/p/lp-1926254-3-Add-test-cases-for-the-non-CA-certificate-with-.patch ==== pam: 1.3.1-5ubuntu4.1 => 1.3.1-5ubuntu4.2 ==== ==== libpam-modules-bin libpam-modules:amd64 libpam-runtime libpam0g:amd64 * Backport pam_faillock module from pam 1.4.0 (LP: #1927796) - debian/patches-applied/add_pam_faillock.patch: add module. - debian/patches-applied/pam_faillock_create_directory: create dir before creating file in modules/pam_faillock/faillock.c. - debian/rules: set execute permissions on pam_faillock test. - debian/libpam-modules-bin.install: install faillock binary and man page. ==== policykit-1: 0.105-26ubuntu1 => 0.105-26ubuntu1.1 ==== ==== libpolkit-agent-1-0:amd64 libpolkit-gobject-1-0:amd64 policykit-1 * SECURITY UPDATE: local privilege escalation using polkit_system_bus_name_get_creds_sync() - debian/patches/CVE-2021-3560.patch: use proper return code in src/polkit/polkitsystembusname.c. - CVE-2021-3560 ==== python-apt: 2.0.0ubuntu0.20.04.4 => 2.0.0ubuntu0.20.04.5 ==== ==== python-apt-common python3-apt * debfile: Pass `Name` instead of `Binary` to ExtractTar. Passing the binary causes it to fail trying to find the `false` compressor when a binary for a given compressor is not installed. (LP: #1926437) * Update mirror lists ==== python3-stdlib-extensions: 3.8.5-1~20.04.1 => 3.8.10-0ubuntu1~20.04 ==== ==== python3-distutils python3-gdbm:amd64 python3-lib2to3 * SRU: LP: #1899159: Backport Python 3.9.5 to 20.04 LTS. * When building 3.10 for releases newer than Debian 11 (bullseye) or Ubuntu 21.04 (hirsute), build the _dbm extension using gdbm, and include it in the python3-gdbm package. * Relax dependency on python3-defaults. * Update 3.10 extensions and modules to the 3.9.10 beta1 snapshot. * Update 3.9 extensions and modules to the 3.9.5 release (no changes). * Update 3.8 extensions and modules to the 3.8.10 release (no changes). * python3-distutils, python3-lib2to3: Breaks the stdlib (<< 3.10.0~b1). * Refresh patches. * Update 3.10 extensions and modules to the 3.9.10 alpha7 snapshot. * Update 3.9 extensions and modules to the 3.9.4 release (no changes). * Update 3.8 extensions and modules to the 3.8.7 release (no changes). * Update 3.9 extensions and modules to the 3.9.2 release. IDLE changes: - bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. - bpo-43008: Make IDLE invoke :func:`sys.excepthook` in normal, 2-process mode. - bpo-33065: Fix problem debugging user classes with __repr__ method. - bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage. * Fix removing old 3.8 files. Closes: #961274. * Update 3.9 extensions and modules to the 3.9.1 release. * Update 3.8 extensions and modules to the 3.8.7 release. * Stop building the extensions for 3.8. Closes: #976846. * python3-lib2to3, python3-distutils: Add the :any qualifier to the python3 dependencies. See: #964330. * Bump standards versions. * Update 3.8 extensions and modules to the 3.8.6 release. * Update 3.9 extensions and modules to the 3.9.0 release. * Update 3.8 extensions and modules to the 3.8.5 release. * Update 3.8 extensions and modules to the 3.8.4 release. * Update 3.8 extensions and modules to 3.8.4 release candidate 1. * Remove bytecode files for 3.7 on upgrade. Closes: #960653. * Bump debhelper version. * Stop building extensions for 3.7. * Update 3.8 extensions and modules to 3.8.3 release. * Update 3.7 extensions and modules to 3.7.6 release. * Update 3.8 extensions and modules to 3.8.2 release. * Remove version information from the python3-lib2to3 package description. Closes: #920867. * Package as 3.8.0 to override the package in experimental. * Update 3.7 extensions and modules to 3.7.5 release. * Update 3.8 extensions and modules to 3.8.0 release. * Update 3.7 extensions and modules to 3.7.5 release candidate 1. * Update 3.8 extensions and modules to 3.8.0 release candidate 1. * Bump standards version. * Don't encode the MACHDEP into the _sysconfigdata file name. * Tighten build dependency on python3.8. * Update 3.7 extensions and modules to the 3.7.4 release. * Silent some lintian warnings. * Bump standards version. * Update 3.7 extensions and modules to 3.7.4 release candidate 2. * Add 3.8 extensions and modules for 3.8.0~b2. * Refresh patches. * Update 3.7 extensions and modules to 3.7.3 (no changes). * Update 3.7 extensions and modules to 3.7.3 release candidate 1. * Clean up empty directories on upgrade. Closes: #918182. * Bump standards version. * Remove 3.6 bytecode files on upgrade. Closes: #918098. * Update 3.6 extensions and modules to 3.6.8. * Update 3.7 extensions and modules to 3.7.2. * Stop building extensions for python3.6. * Update 3.6 extensions and modules to 3.6.7. * Update 3.7 extensions and modules to 3.7.1. * Update 3.6 extensions and modules to 3.6.6. * Update 3.7 extensions and modules to 3.7.0. * Don't ship generated files. Closes: #901637. * Use the distutils package from the source for the build. * Update 3.6 extensions and modules to 3.6.6~rc1. * Update 3.7 extensions and modules to 3.7.0~rc1. * Avoid build dependencies on packages built from python3-defaults. Addresses: #900535. * Add Vcs attributes. * Update 3.7 extensions and modules to 3.7.0~b5. * Fix again the package removals (Simon McVittie). Closes: #894685. * Re-Add the 3.6.5~rc1-2 and 3.6.5~rc1-3 uploads. Closes: #894456. * Update 3.6 extensions to the 3.6.5 release. * Update 3.7 extensions and modules to 3.7.0~b3. * Bump the release string to satisfy dependencies. Closes: #894168. * python3-distutils: Don't ship distutils/{__init__,version}.py * Update 3.6 extensions to the 3.6.5 release candidate. * Update 3.7 extensions and modules to 3.7.0~b1. * Update to 20180212 from the 3.6 branch. * Update 3.7 extensions and modules to 3.7.0~b1. * Relax dependencies on python3. * Update extensions to the 3.6.4 release. * Build a python3-lib2to3 package. * python3-distutils: Depend on python3.6-2to3. * Loosen dependency on python3 version. * python3-tk: Don't ship the tkinter test files. Closes: #884414. * Re-upload, with binaries built. * Loosen the dependencies on the python3 version. * python3-tk: Ship the tkinter module in this package. * python3-distutils: Split out from the Python standard library. * Update extensions to the 3.6.4 release candidate. * Add extensions for 3.7. * Update extensions to the 3.6.3 release. * Drop extensions for 3.5. Closes: #880839. * Update extensions to the 3.5.4 release. * Update extensions to the 3.6.2 release. * Bump standards version. * Add extensions for 3.6. * Update extensions to the 3.5.3 release. * Remove 3.4 extensions. * Update extensions to the 3.5.1 release. * Update extensions to the current 3.4 and 3.5 branches. * Build extensions for Python 3.5. * Bump version to 3.4.3. * Bump version to 3.4.2 release. * Bump version to 3.4.2 release candidate 1. * Build for blt 2.5. Closes: #753929. * Require BLT version built for Tcl/Tk 8.6. * Bump version to 3.4.1. * Remove python 3.3 sources. * Bump version to 3.3.4. * Handle multiarch extension names. Closes: #735805. * Build for python3.4. * Bump version to 3.3.3. * Make the packages Multi-Arch: same. Replace the dependency on python3 with libpython3-stdlib. * Allow the package to cross-build. * Bump version to 3.3.2. * Bump version to 3.3.1. * Allow the package to cross-build. * Python 3.3.0 release. * Python 3.3.0 release candidate 1. * Python 3.3.0 alpha 2 release. * Python 3.2.3 release. - Remove uses of the C tolower()/toupper() which could break with a Turkish locale. - Improve _tkinter error message on unencodable character. * Bump standards version. * Remove Python 3.1 sources. * Fix FTBFS with multiarch locations. * Stop building for python3.1. * Python 3.2 release. * Build for Python 3.2. * Fix build failure with changed site directory. * Python 3.1.2 release. * Bump to 3.1.1, update from the 3.1 branch 20100117. * Build extensions for 3.1. * debian/rules (clean): Update for 3.x. * Build for python3. * Fix build dependencies. * Build extensions for 2.6. * Fix build failure, linking with the correct BLT library. * Bump the package version to 2.5.2. * python-tk-dbg: Depend on python-tk, python-gdbm-dbg: Depend on python-gdbm. * New upstream bugfix version. * Build separate python-tk-dbg and python-gdbm-dbg packages. LP: #154020. * Bump the package version to 2.5.1 (no code change). * Bump the package version to 2.5. * Set Ubuntu maintainer address. * python-*-dbg: Add dependency to the python-* package. * Build separate python-tk-dbg and python-gdbm-dbg packages. * Update modules to the 2.4.4 and 2.5 releases. * Update 2.5 extensions, taken from the 2.5c1 release. * Remove the conflicts with the python2.x versions; now the python2.x packages conflict with python-tk (<< 2.3.4-2). Closes: #380597. * Add 2.5 extensions, taken from the 2.5beta2 release. * Build the extensions for python2.5 as well. Closes: #380125. * Remove lib-tk from the package, moved to python2.x. * Do build the extensions for the supported Python versions only. * Build python-tk and python-gdbm from a separate source to include the extensions for all supported python versions into one binary package. * Initial release, split out from the python2.x packages. - 2.4 taken from the 2.4 branch (20060607). - 2.3 taken from the 2.3.5 release. ==== python3.8: 3.8.5-1~20.04.2 => 3.8.5-1~20.04.3 ==== ==== libpython3.8-minimal:amd64 libpython3.8-stdlib:amd64 libpython3.8:amd64 python3.8 python3.8-minimal * SECURITY UPDATE: improper handling of octal strings in ipaddress - debian/patches/CVE-2021-29921.patch: no longer tolerate leading zeros in IPv4 addresses in Lib/ipaddress.py, Lib/test/test_ipaddress.py. - CVE-2021-29921 ==== software-properties: 0.98.9.4 => 0.98.9.5 ==== ==== python3-software-properties software-properties-common * cloudarchive: Enable support for the Xena Ubuntu Cloud Archive on 20.04 (LP: #1926796). ==== sosreport: 4.1-1ubuntu0.20.04.1 => 4.1-1ubuntu0.20.04.2 ==== ==== sosreport * d/p/0003-ubuntu-policy-fix-upload.patch: - Fix sos archive upload to UA Canonical server (LP: #1923209) ==== ubuntu-advantage-tools: 20.3 => 27.0.2~20.04.1 ==== ==== ubuntu-advantage-tools * Backport to Focal * d/control: - order build-depends alternatives newer first (LP: #1926949) - apt-hook: do not attempt to package go APT JSON hook on some architectures (GH: #1603) (LP: #1927886, LP: #1927795) * Bug-fix release 27.0.2: build failures on riscv64 and powerpc - apt-hook: refactor json hook messaging to be dry - tests: fix subp ls error case for powerpc builds - jenkinsfile: add --resolve-alternatives for trusty builds - amend changelog: add omitted apt-hook message for 27.0.1 stanza * Add .gitignore and cleanup ignored directory .pytest_cache * apt-hook: mitigate failures with true * New upstream release 27.0: - [redacted: actually landed in 27.0.1] apt-hook: mitigate failures with true - messages: add optional (s) to apt messaging to include singular/plural pkgs - apt-hook: avoid reporting and counting duplicate package names (GH: #1578) - fix: don't say reboot required when unnecessary (LP: #1926183) - test: uncomment additional xenial upgrade tests * New upstream beta3 release: - config: avoid tracebacks on invalid features value in uaclient.conf (GH: #1564) - apt-hook: new json hook for security update counts - Remove redundant messaging from uaclient * d/control: - add distro-info dependency - add new debianutils dependency - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute and later when dh-systemd is not present * d/rules: enable and start ua-messaging.timer on package install * d/postinst: - configure esm on any LTS release avoid beta services - configure esm-infra when is_active_esm and apps on LTS - xenial enable unauthenticated apt source for apps/infra * New upstream release 27.0~beta: - apt-hook: + adapt hook to process separate message templates + esm-apps and esm-infra pkg counts not mutually-exclusive + print static messages on apt upgrade/dist-upgrade (GH: #1546) - config: create settings_overrides on config (GH: #1507) - docs: add entry for uploading new version to ppa - esm: + add pin never when disabling esm-infra/apps on xenial + enable infra when EOL LTS and apps on all LTS (GH: #1558) - fips: add notice when installing over old fips - fix: + add links to ubuntu.com/gcp/aws in messaging when on non-PRO + add notice to reboot operation on ua fix + do not prompt user for beta services (GH: #1544) + notify users if reboot is required (GH: #1476) + update how the expired token logic works + wrap output greater than 80 chars (GH: #1487) - lib: fix notice handling on reboot script - messages + provide static message files for use in APT and MOTD + update_ua_messages on attach/detach/disable - mypy: add lib/ dir for coverage - status: do not remove notices on non-root call (GH: #1518) - subp: separate % format strings when logging (GH: #1520) - systemd: add ua-messaging.timer to update ua MOTD and APT msgs - update-motd.d: add conditional hooks for motd to source ua messages - util: add is_lts and is_active_esm funtions to support ESM - test + add integration tests asserting esm-apps setup due to postinst + manual test script for xenial upgrade + trusty and xenial infra and apps disabled in pkg install - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA - jenkins: make lint and style stage run sequentially * d/*: prefix all the debhelper conf files with the package name * d/control: - add Rules-Requires-Root: no - bump Standards-Version to 4.5.1 - make ubuntu-advantage-pro Architecture: all * d/lintian-overrides: - override maintainer-script-calls-service - package-supports-alternative-init-but-no-init.d-script * d/postinst: move the u-a-pro note to a config script * d/ubuntu-advantage-tools.templates: suggest the use of apt * New upstream release 27.0~beta: - apt: add retry for apt-helper command (GH: #1431) - cli: drop subcommand repeated help output, fix enable & refresh (GH: #1440) - config: + allow parsing yaml delivered from env values + environment variable support for feature overrides (GH: #1395) + create config to add extra params to security url - docs: + add ppas and fix typos + use Ubuntu Pro not Ubuntu PRO + add stop "." punctuation to messages (GH: #1320) - fips: fix FIPS message when disable operation fails - fix: + add basic UASecurityClient to which queries CVE and USNs + add security_url to config + check if service is enabled during ua fix (GH: #1462) + closer representation of cve and usn responses + filter usns by cve details (GH: #1470) + fix regex to be more permissive and strict + get_cve_affected_source_packages_status won't list not-affected (GH: #1467) + handle other package status when running ua fix (GH: #1435) + improve error message for ua fix (GH: #1420) + install pkg fixes when they are on standard pocket (GH: #1401) + move timeout and retries to security client only + only prompt for subscription attach for UA-related pkg updates + parse all related USNS to a given CVE when fixing + parse full API responses for related CVEs and USNs + prefer USN.release_packages binary pkg versions to CVE src ver (GH: #1436) + prompt for new ua token when expired one is used (GH: #1475) + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386) + prompt to enable service during ua fix (GH: #1455) + provide related CVE URLs instead of USNs (GH: #1456) + raise errors when source_link is null or unexpected format + show packages that were not fixed in the output + update output for released packages in ua fix (GH: #1438) + update message for invalid issue in ua fix (GH: #1433) + use pocket values from USNs (GH: #1439) - logs: emit error response on API errors and redact sensitive logs (GH: #1424) - serviceclient: add 10 second timeout and two retries to API calls (GH: #1374) - util: + add error prompts on invalid selection + add timeout to readurl - tests: + Add disable_auto_attach config to all test PRO vms + add merge_usn_released_binary_package_versions tests + add unittest coverage for override_usn_release_package_status + drop traceback checks on fips integration tests + refactor integration tests for ua fix cmd + run status wait before detach in PRO tests + use ssh to run commands on lxd containers - jenkins: archiveArtifacts can only reference paths within workspace * d/control: add new debianutils dependency * New upstream release 26.3 - util: improve is_container check for chroot - cli: pass assume_yes param to services on detach (GH: #1530) * Drop dh-systemd build dependency. * status: show beta services in status if enabled (GH: #1410) * New upstream release 26.1 - contract: block detach call to contract if machine-id change - docs: add readme docs about mastering clean golden images - fips: add reboot notices for fips operations (GH: #1368) - livepatch: add retry when running canonical-livepatch status (GH: #1360) - util: use lru_cache to avoid re-reading os-release and machine-id (GH: #1329) - tests: + add disable_auto_attach config to all test PRO vms + add more log artifacts during failed integration test + check cloudinit status after launching image + mock leaking livepatch.application_status for fips test + retry package installs on apt exit 100 - jenkins: parameterize build stages to avoid parallel job collision * auto-attach: fix comparing numeric iid * New upstream release 26.0: - auto-attach: systemd unit to run before ua-reboot-cmds.service - config: remove_notice should remove notices.json when empty - fips: + add notice if running a deactivated FIPS kernel (GH: #1348) + block enabling FIPS on clouds using Xenial + block enabling fips on GCP instances + check /proc/sys/crypto/fips_enable to see if fips is enabled + override fips metapackage when on bionic cloud + update metapackage override logic on fips - notices: clear lock file and notice when encountering any exception (GH: #1326) - reboot_cmds: retry on lock held errors due to pro auto-attach - services: allow uaclient to disable services during enable - status: include beta services in json formatted output with --all (GH: #1341) - tests: + add FIPS tests to AWS and Azure bionic images + add GCP pro test for focal machine + add after_step collection of artifacts on failure + remove proc file check after disabling fips + pro: block auto-attach with cloud-config bootcmd + add validation of systemd unit ua-reboot-cmds.service + test enabling fips-updates when fips is enabled - jenkins: - add deb build stage to assert package builds - use series-specific sbuild --build-dir avoid races - use --append-to-version for each sbuild run to avoid races - presume success when no integration artifacts created * d/rules: - add --with systemd to allow reboot init script - do not remove lib/systemd/system folder * d/postinst: - create marker file when reboot script need to run: - enable livepatch across trusty to xenial upgrade - update fips on existing fips pro machines * New upstream release 26.0~beta: - gcp: add Google Cloud Platform support (GH #1269) - fips: + remove is_beta from fips sevices + fips pro: add upgrade support to require reboot to unmark held fips pkgs + update origin UbuntuFIPSUpdates - status: + add notice to tabular output + held locks emit notice about Operation in progress - cli: help sort output so trusty ordering matches xenial++ - cis: rename service from cis-audit - config: provide config notices and add_notice and remove_notice methods - contract: add resource-machine-access route and datapath - init: add init script to run commands on reboot - keys: add ubuntu-advantage-cis keyring - livepatch: make livepatch react to enableByDefault delta - log: log when we install pkgs because of contract delta - make: drop six testdeps target - pro: do not install pro debs on non-pro instances - services: Update beta info for services (GH #1220) - tools: add tox-lxd-runner, that execute the test command in a shell - tools: refresh-keyrings handles cis keys. drop series-specific keys - tests: + add GCE support for integration tests + add cis integration tests for unattached and pro + add pytest constraint for mypy tests + add unittests for reboot_cmds script + fix esm package messages for new update notifier version + pin importlib-metadata for mypy tests + repo tests for request_resource_machine_access + unit tests for config cache clearing and machine-access data - jenkins: + add basic Jenkinsfile for CI runs per PR + add jenkins parseable test results + add lxc cleanup stage on Jenkinsfile * Release version 25.0 * New upstream release 25.0~beta3: - upgrade-lts-conract: noop during do-release-upgrade on unattached (GH: #1255) - ua-auto-attach: order systemd unit before cloud-config.service - Update FIPSUpdates pin origin - fips: unmark held fips packages for ubuntu pro fips image support (GH: #1109) - repo: handle changes to additionalPackages contract deltas - repo: move package installation to install_packages method - pro: trigger auto-attach as soon as instance-data.json is available (GH: #1234) - Conditionally install packages when enabling FIPS - fips: allow disable (GH: #1168) - cli: add trailing newline to argparse errors (GH: #1236) - Install fips metapacking when enabling service - integration test improvements: + upgrade-test: fix upgrade path restart failures on trusty (GH: #1257) + Fix integration test setup scripts (GH: #1253) + strict checking for command success on behave + Update tests to use new pycloudlib LXD abstraction + Add upgrade scenario tests when FIPS is enabled + Improve FIPS tests for checking packages + Update esm-infra xenial lxd test + Fix vm tests as esm-apps is beta service + Fix azure generic integration testing + Update esm-apps check on staging_commands tests + Install pycloudlib for azure jobs only + Fix shell condition in run_azure_travis_integration_tests.sh + Update azure jobs on travis + Update travis url in README + Update travis scripts to use ppa only on master + Fix cron event type check on travis yaml * New upstream release 25.0~beta2: - help: update esm-infra help text (GH: #1212) - apt-hook: update apt cli messaging for UA Infra: ESM and UA Apps: ESM product names - help: update fips help docs (GH: #1213) - help: revert CIS help doc URL (GH: #1211) - help: add new fips help URLs to CLI help docs (GH: #1210) - Show error when enabling service with invalid repo [Lucas Moura] (GH: #954) - Update beta info for services (#1220) [Lucas Moura] (GH: #1216) - Do not enable fips when fips-updates is active [Lucas Moura] (GH: #1209) - Add vm test commands in tox.ini (#1204) [Lucas Moura] * Beta bug fix release - status: fix missing description_override key after upgrade from trusty (GH: #1201) - During contract delta processing use _check_application_status_on_cache instead of live service status * d/control: - add po-debconf dependency and fix lintian not-using-po-debconf and untranslatable-debconf-templates - add ${misc:Depends} dep to ubuntu-advantage-pro to fix lintian debhelper-but-no-misc-depends (GH: #1024) * d/rules: - drop --with systemd fix build-depends-on-obsolete-package - set fix lintian warning extra:Depends even if empty * d/postrm - Add more gpg keys to be deleted in postrm for Xenial+ support * d/postinst: - do not unconfigure non-trusty esm. no series in apt filenames (GH: #1170) - check if esm is already enabled (GH: #1095) * New upstream release 25.0: - Do not uninstall additionalPackages or livepatch when disabling services - check for issubclass on clean_apt_files - Add do-release-upgrade support for esm-infra and apps suites (GH: #1169) - Apply contract deltas during do-release-upgrade operations - cli: add ua help command - cli: status add blocking --wait param and lock files for config change - Fix livepatch behaviour on aws pro focal machine - travis: drop inapplicable workspaces from specific awsgeneric release jobs - Add possible reboot text after enabling/disabling services - apt-hook: package apt-hook and apt configuration files on all releases (GH: #1150) - Fix enable fail bug - Add uaclient.conf override mechanism for auto-attach, beta services and machine-token - Support ESM Apps [Brian Murray] (GH: #930) - Do not enable services if blocking services is active (GH: #1029) - contract: handle 401 on invalid token, 403 on expired (GH: #1335) - Hide beta services from default status output and enable/disable operations (GH: #1079) (GH: #1091) - fips: force apt noninteractive prompts during package installs (GH: #1084) - tests: add unit tests for aws-gov/aws-china cloud detection - Add AWS China and GovCloud partitions [Robert Jennings] - Disable beta services to be show/enabled without flag - Add missing build_pr command to environment - Use additionalPackages from service payload - Add integration testing for Travis runs [patriciadomin] (GH: #856) (GH: #857) (GH: #853) * New bug-fix-only release 24.4: - uaclient.version bump to 24.4 - fips: honor additionalPackage directive from contract for bionic (GH #1173) * New bug-fix-only release 24.3: - uaclient.version bump to 24.3 - fips: add conditional reboot message only if /var/run/reboot-required is present - fips: add apt repo key for FIPS and FIPS updates (GH #1026) * New bug-fix-only release 24.2: - uaclient.version bump to 24.2 - pro: Add AWS China and GovCloud partitions support (GH #1077) * New bug-fix-only release 24.1: - livepatch: run snap wait system snap.seeded before trying to install (GH: #1049) - version: return debian/changelog version when git describe fails to match upstream . tags for git-ubuntu workflow (GH: #1058) * bump version to 24.0 for new versioninig scheme ==== ubuntu-release-upgrader: 1:20.04.32 => 1:20.04.33 ==== ==== python3-distupgrade ubuntu-release-upgrader-core * DistUpgrade/DistUpgradeController.py: restore sources.list where possible if a KeyboardInterrupt event is received and redirect the output of gnome-session-inhibit to devnull so a message regarding Ctrl-C is not displayed. (LP: #1898026) * DistUpgrade/DistUpgradeQuirks.py: Restore code which ensured the python package was maked for removal. (LP: #1928397) * Update mirrors and translations. -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20210603/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20210510/