A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * dnsmasq: 2.75-1ubuntu0.16.04.7 => 2.75-1ubuntu0.16.04.8 * git: 1:2.7.4-0ubuntu1.9 => 1:2.7.4-0ubuntu1.10 * glib2.0: 2.48.2-0ubuntu4.6 => 2.48.2-0ubuntu4.8 * linux-meta: 4.4.0.203.209 => 4.4.0.204.210 * linux-signed: 4.4.0-203.235 => 4.4.0-204.236 * python3.5: 3.5.2-2ubuntu0~16.04.12 => 3.5.2-2ubuntu0~16.04.13 * screen: 4.3.1-2build1 => 4.3.1-2ubuntu0.1 The following is a complete changelog for this image. new: {'linux-modules-4.4.0-204-generic': '4.4.0-204.236', 'linux-headers-4.4.0-204-generic': '4.4.0-204.236', 'linux-headers-4.4.0-204': '4.4.0-204.236'} removed: {'linux-headers-4.4.0-203': '4.4.0-203.235', 'linux-modules-4.4.0-203-generic': '4.4.0-203.235', 'linux-headers-4.4.0-203-generic': '4.4.0-203.235'} changed: ['dnsmasq-base', 'git', 'git-man', 'libglib2.0-0:amd64', 'libglib2.0-data', 'libpython3.5-minimal:amd64', 'libpython3.5-stdlib:amd64', 'libpython3.5:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.4.0-204-generic', 'linux-image-virtual', 'linux-virtual', 'python3.5', 'python3.5-minimal', 'screen'] new snaps: {} removed snaps: {} changed snaps: [] ==== dnsmasq: 2.75-1ubuntu0.16.04.7 => 2.75-1ubuntu0.16.04.8 ==== ==== dnsmasq-base * SECURITY REGRESSION: issue with multiple queries (LP: #1916462) - backport multiple upstream commits to fix regressions + 04490bf622ac84891aad6f2dd2edf83725decdee + 12af2b171de0d678d98583e2190789e544440e02 + 3f535da79e7a42104543ef5c7b5fa2bed819a78b + 141a26f979b4bc959d8e866a295e24f8cf456920 + 305cb79c5754d5554729b18a2c06fe7ce699687a ==== git: 1:2.7.4-0ubuntu1.9 => 1:2.7.4-0ubuntu1.10 ==== ==== git git-man * SECURITY UPDATE: remote code exec during clone on case-insensitive FS - debian/patches/CVE-2021-21300.patch: fix bug that makes checkout follow symlinks in leading path in cache.h, compat/mingw.c, git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh, t/t2006-checkout-index-basic.sh, unpack-trees.c. - CVE-2021-21300 ==== glib2.0: 2.48.2-0ubuntu4.6 => 2.48.2-0ubuntu4.8 ==== ==== libglib2.0-0:amd64 libglib2.0-data * SECURITY UPDATE: incorrect g_file_replace() symlink handling - debian/patches/CVE-2021-28153-pre1.patch: allow g_test_bug() to be used without g_test_bug_base() in /glib/gtestutils.c. - debian/patches/CVE-2021-28153-1.patch: fix a typo in a comment in gio/glocalfileoutputstream.c. - debian/patches/CVE-2021-28153-2.patch: stop using g_test_bug_base() in file tests in gio/tests/file.c. - debian/patches/CVE-2021-28153-3.patch: factor out a flag check in gio/glocalfileoutputstream.c. - debian/patches/CVE-2021-28153-4.patch: fix CREATE_REPLACE_DESTINATION with symlinks in gio/glocalfileoutputstream.c, gio/tests/file.c. - debian/patches/CVE-2021-28153-5.patch: add a missing O_CLOEXEC flag to replace() in gio/glocalfileoutputstream.c. - CVE-2021-28153 * SECURITY UPDATE: g_byte_array_new_take length truncation - debian/patches/CVE-2021-2721x/CVE-2021-27218.patch: do not accept too large byte arrays in glib/garray.c, glib/gbytes.c, glib/tests/bytes.c. - CVE-2021-27218 * SECURITY UPDATE: integer overflow in g_bytes_new - debian/patches/CVE-2021-2721x/CVE-2021-27219*.patch: add internal g_memdup2() function and use it instead of g_memdup() in a bunch of places. - CVE-2021-27219 ==== linux-meta: 4.4.0.203.209 => 4.4.0.204.210 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.4.0-204 ==== linux-signed: 4.4.0-203.235 => 4.4.0-204.236 ==== ==== linux-image-4.4.0-204-generic * Master version: 4.4.0-204.236 ==== python3.5: 3.5.2-2ubuntu0~16.04.12 => 3.5.2-2ubuntu0~16.04.13 ==== ==== libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 libpython3.5:amd64 python3.5 python3.5-minimal * SECURITY UPDATE: Code execution from content received via HTTP - debian/patches/CVE-2020-27619.patch: no longer call eval() on content received via HTTP in Lib/test/multibytecodec_support.py. - CVE-2020-27619 * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2021-3177.patch: replace snprintf with Python unicode formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py, Modules/_ctypes/callproc.c. - CVE-2021-3177 ==== screen: 4.3.1-2build1 => 4.3.1-2ubuntu0.1 ==== ==== screen * SECURITY UPDATE: DoS via crafted UTF-8 character sequence - debian/patches/99_CVE-2021-26937.patch: fix out of bounds array access in encoding.c. - CVE-2021-26937 -- [1] http://cloud-images.ubuntu.com/releases/xenial/release-20210316/ [2] http://cloud-images.ubuntu.com/releases/xenial/release-20210224/