A new release of the Ubuntu Cloud Images for stable Ubuntu release 22.04 (Jammy Jellyfish) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apparmor: 3.0.4-2ubuntu2.1 => 3.0.4-2ubuntu2.2 * bind9: 1:9.18.1-1ubuntu1.3 => 1:9.18.12-0ubuntu0.22.04.1 * cloud-init: 22.4.2-0ubuntu0~22.04.1 => 23.1.1-0ubuntu0~22.04.1 * curl: 7.81.0-1ubuntu1.8 => 7.81.0-1ubuntu1.10 * linux-meta: 5.15.0.67.65 => 5.15.0.69.67 * linux-signed: 5.15.0-67.74 => 5.15.0-69.76 * netplan.io: 0.105-0ubuntu2~22.04.1 => 0.105-0ubuntu2~22.04.3 * openldap: 2.5.13+dfsg-0ubuntu0.22.04.1 => 2.5.14+dfsg-0ubuntu0.22.04.1 * python3.10: 3.10.6-1~22.04.2 => 3.10.6-1~22.04.2ubuntu1 * rsync: 3.2.3-8ubuntu3.1 => 3.2.7-0ubuntu0.22.04.2 * sudo: 1.9.9-1ubuntu2.2 => 1.9.9-1ubuntu2.3 * systemd-hwe: 249.11.2 => 249.11.3 * systemd: 249.11-0ubuntu3.6 => 249.11-0ubuntu3.7 * tcpdump: 4.99.1-3build2 => 4.99.1-3ubuntu0.1 * ubuntu-advantage-tools: 27.13.5~22.04.1 => 27.13.6~22.04.1 * update-notifier: 3.192.54.5 => 3.192.54.6 * vim: 2:8.2.3995-1ubuntu2.3 => 2:8.2.3995-1ubuntu2.4 The following is a complete changelog for this image. new: {'linux-modules-5.15.0-69-generic': '5.15.0-69.76', 'linux-headers-5.15.0-69-generic': '5.15.0-69.76', 'linux-headers-5.15.0-69': '5.15.0-69.76'} removed: {'linux-headers-5.15.0-67': '5.15.0-67.74', 'linux-headers-5.15.0-67-generic': '5.15.0-67.74', 'linux-modules-5.15.0-67-generic': '5.15.0-67.74'} changed: ['apparmor', 'bind9-dnsutils', 'bind9-host', 'bind9-libs:amd64', 'cloud-init', 'curl', 'libapparmor1:amd64', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libldap-2.5-0:amd64', 'libldap-common', 'libnetplan0:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libpython3.10-minimal:amd64', 'libpython3.10-stdlib:amd64', 'libpython3.10:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.15.0-69-generic', 'linux-image-virtual', 'linux-virtual', 'netplan.io', 'python3.10', 'python3.10-minimal', 'rsync', 'sudo', 'systemd', 'systemd-hwe-hwdb', 'systemd-sysv', 'systemd-timesyncd', 'tcpdump', 'ubuntu-advantage-tools', 'udev', 'update-notifier-common', 'vim', 'vim-common', 'vim-runtime', 'vim-tiny', 'xxd'] new snaps: {} removed snaps: {} changed snaps: ['core20', 'snapd'] ==== apparmor: 3.0.4-2ubuntu2.1 => 3.0.4-2ubuntu2.2 ==== ==== apparmor libapparmor1:amd64 * Add mqueue patches. LP: #1993353 - u/mqueue1-parser-add-parser-support-for-message-queue-mediatio.patch: add parser support for mqueue mediation - u/mqueue2-tests-add-posix-message-queue-regression-tests.patch: add posix mqueue regression tests - u/mqueue3-utils-add-message-queue-rules-parsing-in-python-tool.patch: add support in python tools to parse mqueue rules - u/mqueue4-parser-add-parser-simple-tests-for-mqueue-rules.patch: add parser simple tests for mqueue - u/mqueue5-parser-Add-a-set-of-debug-flags-that-can-be-passed-t.patch: add debug flags that can be passed to the kernel - u/mqueue6-parser-Set-the-DEBUG1-flag-on-profiles-that-use-mque.patch: set DEBUG1 on mqueue rules - u/mqueue7-parser-place-perm-on-name-as-well-as-name-label-comb.patch: add permissions on name and also on name + label - u/mqueue8-libapparmor-add-support-for-requested-and-denied-on-.patch: add parsing support for "denied" and "requested" from audit logs - u/mqueue9-libapparmor-add-support-for-class-in-logparsing.patch: add parsing support for "class" from audit logs - u/mqueue10-utils-add-logparser-support-for-mqueue.patch: add logparser support for mqueue rules - u/mqueue11-tests-add-sysv-message-queue-regression-tests.patch: add sysv mqueue regression tests - debian/rules: create mqueue testcase empty files for libapparmor tests. * Closes LP: #1994146 ==== bind9: 1:9.18.1-1ubuntu1.3 => 1:9.18.12-0ubuntu0.22.04.1 ==== ==== bind9-dnsutils bind9-host bind9-libs:amd64 * New upstream releases 9.18.2 - 9.18.12 (LP: #2003586) - Updates: + update-quota option + named -V shows supported cryptographic algorithms + Catalog Zones schema version 2 support in named + DNS error support Stale Answer and Stale NXDOMAIN Answer + Remote TLS certificate verification support + reusereport option - Bug Fixes Include: + Fix crash when using dig with +nssearch and +tcp (LP: #1258003) + Fix incomplete results using dig with +nssearch (LP: #1970252) + Fix loading of preinstalled plugins (LP: #2006972) + CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38178, CVE-2022-3094, CVE-2022-3736, CVE-2022-3924, CVE-2022-1183 + Fix thread safety in dns_dispatch + Fix ADB quota management in resolver + Fix Prohibited DNS error on allow-recursion + Fix crash when restarting server with active statschannel connection + Fix use after free for catalog zone processing + Fix leak of dns_keyfileio_t objects + Fix nslookup failure to use port option when record type ANY is used + Fix crash on dnssec-policy zone with NSEC3 and inline-signing turned on + Fix inheritance when setting remote server port + Fix assertion error when accessing statistics channel + Fix rndc dumpdb -expired for stuck cache + Fix check for other name servers after receiving FORMERR + Fix deletion of CDS after zone sign + Fix dighost query context management + Fix dig hanging due to IPv4 mapped IPv6 address + See https://bind9.readthedocs.io/en/v9_18_12/notes.html#notes-for-bind-9-18-12 for additional bug fixes and information * Improve dep-8 test suite (LP: #2003584): - d/t/zonetest: Add dep8 test for checking the domain zone creation process - d/t/control: Add new test outline * d/bind9-doc.docs: Stop installing removed file doc/misc/options.active * Remove patches for bugs LP #1964400 and LP #1964686 fixed upstream: - lp1964400-lp1964686-Fix-an-issue-in-dig-when-retrying-with-the-next-serv - lp1964400-lp1964686-When-resending-a-UDP-request-insert-the-query-to-the - lp1964400-lp1964686-Add-digdelv-system-test-to-check-timed-out-result-fo - lp1964400-lp1964686-After-dig-request-errors-try-to-use-other-servers-wh - lp1964400-lp1964686-Add-digdelv-system-test-to-check-that-dig-tries-othe - lp1964400-lp1964686-Fix-dig-error-when-trying-the-next-server-after-a-TC - lp1964400-lp1964686-Add-various-dig-host-tests-for-TCP-UDP-socket-error- * Remove CVE patches fixed upstream: - debian/patches/CVE-2022-1183.patch [Included in upstream release 9.18.3] - debian/patches/CVE-2022-2795.patch - debian/patches/CVE-2022-2881.patch - debian/patches/CVE-2022-2906.patch - debian/patches/CVE-2022-3080.patch - debian/patches/CVE-2022-38178.patch [Included in upstream release 9.18.7] - debian/patches/CVE-2022-3094.patch - debian/patches/CVE-2022-3736.patch - debian/patches/CVE-2022-3924.patch [Included in upstream release 9.18.11] ==== cloud-init: 22.4.2-0ubuntu0~22.04.1 => 23.1.1-0ubuntu0~22.04.1 ==== ==== cloud-init * d/patches/retain-netplan-world-readable.patch: - Retain original world-readable perms of /etc/netplan/50-cloud-init.yaml. Lunar made the config root read-only. * refresh patches: + debian/patches/expire-on-hashed-users.patch * Upstream snapshot based on 23.1.1. (LP: #2008230). List of changes from upstream can be found at https://raw.githubusercontent.com/canonical/cloud-init/23.1.1/ChangeLog ==== curl: 7.81.0-1ubuntu1.8 => 7.81.0-1ubuntu1.10 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: TELNET option IAC injection - debian/patches/CVE-2023-27533.patch: only accept option arguments in ascii in lib/telnet.c. - CVE-2023-27533 * SECURITY UPDATE: SFTP path ~ resolving discrepancy - debian/patches/CVE-2023-27534-pre1.patch: do not add '/' if homedir ends with one in lib/curl_path.c. - debian/patches/CVE-2023-27534.patch: create the new path with dynbuf in lib/curl_path.c. - CVE-2023-27534 * SECURITY UPDATE: FTP too eager connection reuse - debian/patches/CVE-2023-27535-pre1.patch: add and use Curl_timestrcmp in lib/netrc.c, lib/strcase.c, lib/strcase.h, lib/url.c, lib/vauth/digest_sspi.c, lib/vtls/vtls.c. - debian/patches/CVE-2023-27535.patch: add more conditions for connection reuse in lib/ftp.c, lib/ftp.h, lib/url.c, lib/urldata.h. - CVE-2023-27535 * SECURITY UPDATE: GSS delegation too eager connection re-use - debian/patches/CVE-2023-27536.patch: only reuse connections with same GSS delegation in lib/url.c, lib/urldata.h. - CVE-2023-27536 * SECURITY UPDATE: SSH connection too eager reuse still - debian/patches/CVE-2023-27538.patch: fix the SSH connection reuse check in lib/url.c. - CVE-2023-27538 ==== linux-meta: 5.15.0.67.65 => 5.15.0.69.67 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.15.0-69 * Bump ABI 5.15.0-68 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.15.0-67.74 => 5.15.0-69.76 ==== ==== linux-image-5.15.0-69-generic * Master version: 5.15.0-69.76 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master * Master version: 5.15.0-68.75 * Miscellaneous Ubuntu changes - debian/tracking-bug -- update from master ==== netplan.io: 0.105-0ubuntu2~22.04.1 => 0.105-0ubuntu2~22.04.3 ==== ==== libnetplan0:amd64 netplan.io * Fix and improvements for the DBus integration (LP: #1997467) Cherry-picked from upstream: https://github.com/canonical/netplan/pull/331 - d/p/lp1997467/0009-dbus-Build-the-copy-path-correctly.patch Properly build the destination path before copying files in the dbus integration and improve error handling - d/p/lp1997467/0010-tests-Add-an-integration-test-for-netplan-dbus.patch Add an integration test to exercise the code path where the issue was addressed. * d/p/lp1997467: set only specific origin-hint if given (LP: #1997467) Cherry-picked from upstream: https://github.com/canonical/netplan/pull/299 - d/libnetplan0.symbols: Add netplan_parser_load_nullable_overrides() API - d/p/0008-src-parse-plug-memory-leaks-in-nullable-handling.patch backport upstream commit 40c53bb (memory leak fixup of PR#299) ==== openldap: 2.5.13+dfsg-0ubuntu0.22.04.1 => 2.5.14+dfsg-0ubuntu0.22.04.1 ==== ==== libldap-2.5-0:amd64 libldap-common * New upstream version (LP: #2007625). - Several fixes, including memory leaks that affect slapd and certain slapo modules. ==== python3.10: 3.10.6-1~22.04.2 => 3.10.6-1~22.04.2ubuntu1 ==== ==== libpython3.10-minimal:amd64 libpython3.10-stdlib:amd64 libpython3.10:amd64 python3.10 python3.10-minimal * SECURITY UPDATE: Possible Bypass Blocklisting - debian/patches/CVE-2023-24329.patch: enforce that a scheme must begin with an alphabetical ASCII character in Lib/urllib/parse.py, Lib/test/test_urlparse.py. - CVE-2023-24329 ==== rsync: 3.2.3-8ubuntu3.1 => 3.2.7-0ubuntu0.22.04.2 ==== ==== rsync * SECURITY UPDATE: arbitrary file write via malicious remote servers - Updated to 3.2.7 to fix security issue and multiple regressions caused by the original security fixes. - debian/patches: Added two additional upstream patches: + trust_the_sender_on_a_local_transfer.patch + avoid_quoting_of_tilde_when_its_a_destination_arg.patch - Removed patches no longer needed with 3.2.7: + CVE-2020-14387.patch, fix_ftcbfs_configure.patch, fix_delay_updates.patch, copy-devices.diff, workaround_glibc_lchmod_regression.patch, manpage_upstream_fixes.patch, fix_mkpath.patch, fix_sparse_inplace.patch, update_rrsync_options.patch, fix_rsync-ssl_RSYNC_SSL_CERT_feature.patch, avoid_spurious_is_newer_messages_with_update.patch. - debian/control, debian/rules, debian/rsync.install, debian/rsync.links: ship new python-based rrsync. - debian/rsync.install: cull_options has been renamed to cull-options. - CVE-2022-29154 ==== sudo: 1.9.9-1ubuntu2.2 => 1.9.9-1ubuntu2.3 ==== ==== sudo * SECURITY UPDATE: double free with per-command chroot sudoers rules - debian/patches/CVE-2023-27320.patch: don't free user_cmnd twice in MANIFEST, plugins/sudoers/match_command.c, plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/regress/testsudoers/test20.out.ok, plugins/sudoers/regress/testsudoers/test20.sh, plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c. - CVE-2023-27320 ==== systemd: 249.11-0ubuntu3.6 => 249.11-0ubuntu3.7 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev * SECURITY UPDATE: buffer overrun vulnerability in format_timespan() - debian/patches/CVE-2022-3821.patch: time-util: fix buffer-over-run - CVE-2022-3821 * SECURITY UPDATE: information leak vulnerability in systemd-coredump - debian/patches/CVE-2022-4415.patch: do not allow user to access coredumps with changed uid/gid/capabilities - CVE-2022-4415 ==== systemd-hwe: 249.11.2 => 249.11.3 ==== ==== systemd-hwe-hwdb [ Koba Ko ] * hwdb: Add Dell G16 that require KEYBOARD_KEY_100150=f20 (LP: #2007032) ==== tcpdump: 4.99.1-3build2 => 4.99.1-3ubuntu0.1 ==== ==== tcpdump * debian/usr.sbin.tcpdump: allow tcpdump printing to stdout/stderr when running from a container (LP: #1667016) ==== ubuntu-advantage-tools: 27.13.5~22.04.1 => 27.13.6~22.04.1 ==== ==== ubuntu-advantage-tools * Backport new upstream release: (LP: #2008814) to jammy * apt-news: - make sure systems which never ran a pro command get the apt-news message displayed (LP: #2008814) * d/ubuntu-advantage-tools.postinst: - fix version for cleaning the esm-apps stale unauthenticated files (LP: #2006765) * d/ubuntu-advantage-tools.postinst: - remove stale esm-apps unauthenticated caches (LP: #2004193) * apt-hook: - Change esm-apps advertisement message on apt upgrade to make it clearer that the service is providing more upgrades and not restricting user to only get updates if esm-apps is enabled (LP: #2006510) * contract: - make code aware that the effective date is not a required field in the machine-token.json file (LP: #2006351) * esm_cache - do not fail if we cannot extract information from /etc/os-release file (LP: #2006508) * security-status: - consider packages without a candidate as 'unknown' (LP: #2006049) * status: - treat null effective contract dates as unknown/expired (LP: #2004650) * timer: - recycle invalid jobs-status.json file if we detect it is corrupted (LP: #2006261) * d/ubuntu-advantage-tools.preinst: (LP: #2004279) - correct second set of md5sums to continue avoiding a dpkg conf prompt if the only change to the original config file was to the apt_news flag - restore correct default uaclient.conf when upgrading from 27.13.X and the only conf change is apt_news * esm-cache.service: - Catch errors when esm.ubuntu.com is unreachable to avoid causing crash reports and degraded systemd status from this non-critical service (LP: #2004130) * d/ubuntu-advantage-tools.{postinst,postrm,preinst}: - avoid a dpkg conf prompt if the only change to the original config file was to the apt_news flag (LP: #2003977) * apt-hook: - only run the pro client pre-update hook services when the apt update is executed as root user (LP: #2004057) * apt: better isolate apt esm cache by only fetching necessary configuration from the system apt * d/bash-completion: - enable autocomplete for the 'pro' command (GH: #2280) * d/control: - update the package description * d/postinst: - remove unauthenticated esm repos from Xenial systems (LP: #1990378) * New upstream release 27.13 (LP: #2003018) - apt: + remove logic which added repositories and pinned them to 'never' to enable access to esm package lists + add functionality to create and update a local apt esm cache with the lists for esm-infra and esm-apps - apt-hook: update the cpp hook to use the local esm apt cache - apt-news: + fetch and display APT News in apt upgrade + show contract expiration notices in the apt news output - attach: support attaching without being able to install snapd (LP: #1997514) - cli: + do not show invalid subcommands in autocomplete (GH: #2279) + add support for attaching through the web portal, without a token - config: add apt_news_url option - docs: reorganize documentation and correct information - esm-apps: release the service as GA - jobs: + remove the update_status job + remove unused job which checks for the system EOL - messaging: do not fail if the apt-hook executable is not present (LP: #1994480) - motd: announce esm-apps as GA - security-status: + use the local esm cache to report updates when the services are disabled + redesign output to properly show support (LP: #2002407) - services: add new service to update the local esm caches - ros: release the service as GA - bug fixes: + report reboot_required even if 'livepatch status' fails + do not create unexpected environment variables when the autocomplete script runs + contract requests do not cause 'pro status' to fail + remove auto-attach motd message if any failure happens + log when 'cloud-id' fails + always honor the metering job timer config + write files atomically * New upstream release 27.12 (LP: #1996424): - auto-attach: + retry auto-attach for up to one month on Ubuntu Pro cloud instances + make a best effort to auto-attach when using the API - enable: show deduplicated list of supported arches (GH: #917) - fips: remove cloud package override logic from the client - messaging: verify contract expiration date on contract server before outputting expired message on MOTD - realtime-kernel: make service non-beta - reboot-required: + add API support to show if the system requires a reboot (u.pro.security.status.reboot_required.v1) + add cli command for the functionality (pro system reboot-required) - security-status: + add API support to report standard updates (u.pro.packages.updates.v1) + add API support to show CVEs patched by Livepatch (u.pro.security.status.livepatch_cves.v1) + add API support to show packages summary information (u.pro.packages.summary.v1) + list packages in oci manifest format (u.security.package_manifest.v1) - systemd: do not attempt to auto-attach if a machine-token is present * New upstream release 27.11.3: (LP: #1993006) - d/postinst: remove the Ubuntu Pro beta apt message and set up the configurable flag for "APT news" instead - collect-logs: do not fail if a file cannot be read (LP: #1991858) - config: add a flag to disable "APT news" (LP: 1992026) - messaging: add announcement of "APT news" to apt output - messaging: only show "APT news" when using apt binary (GH: #2288) - version: use /run instead of /tmp for version file (GH: #2294) * New upstream release 27.11.2: (LP: #1991173) - esm: add the --beta flag back to esm-apps - messaging: show Ubuntu Pro beta message in apt output - security-status: don't show esm-apps information when the service is not enabled - ros: add the --beta flag back to ros and ros-updates * New upstream release 27.11.1: (LP: #1990907) - Fix release upgrade when ESM packages are installed + d/postinst: remove series information from the APT preferences template + esm: remove series information from the APT preferences file * d/control: - Update VCS references * d/links: - add usr/bin/pro as an alias to ubuntu-advantage * d/postinst: - include root_mode parameter when creating UAConfig instances - change calls to add_notice to notice_file.add - create public machine-token file if it does not exist * New upstream release 27.11 (LP: #1989279) - api: + new `pro api` command to access the public client API + 'version' endpoint returning version information + 'should auto attach' endpoint informing if a system should run auto-attach on startup + 'full auto attach' endpoint performing auto-attach + 'magic attach' endpoints for the Magic Attach flow - auto-attach: + better errors for invalid pro images (GH: #2180, #1833) + don't detach on already auto-attached instances + no-op when ubuntu-advantage information is present on cloud-init userdata + change systemd unit to run after cloud-config - cli: + cli: better error message on unrecognized flags (GH: #672) - collect-logs: + can now be executed as a non-root user + is executed automatically and result is appended when using apport to report a bug - docs: now formatted to be built with sphinx, and published in readthedocs - enable: + new access-only flag for usecases where auto-install is undesired + fix apt auth line replacement (LP: #1985863) - esm-apps: generally available as non-beta as part of Ubuntu Pro - fix: check if livepatch has already fixed a CVE before attempting a fix - jobs: new timer job to check if the release reached end of support - pro: + Ubuntu Pro is released as a product + make `pro` the recommended executable for the client + client, apt and motd messages updated/rewritten to show Pro information + base URL changed from /advantage to /pro + ESM services renamed as part of Pro - ros: released as a non-beta entitlement - security-status + does not require the --format flag anymore + human readable output added based on ubuntu-security-status + machine readable output contains CVEs fixed by Livepatch + package counts include all esm-infra and esm-apps repositories - status: + don't show unavailable services by default (GH: #2156, #2159) + expiry date formatted based on timezone (GH: #695) + non-root users get the current status instead of a cached version + --wait flag now working for non-root users - version: warn about new available versions of the client in CLI command output and API calls * apt-hook: Fix missing import warning when compiling * d/control: - Drop golang dependencies * d/rules: - Only install APT hooks on LTS series * New upstream release 27.10 (LP: #1980990) - apt-hook: replace golang with cpp for json-hook - cli + properly sort services for detach/attach (GH: #1831) + collect-logs include rotated log files + display UA features directly on status - daemon: do not try enabling daemon during auto-attach (LP: #1980865) - fix: + update ua portal url when asking for attach + add --dry-run option - gcp-pro: better error message for metadata endpoint error - requests: Add default timeout for web requests - timer: log when job start running - security-status: include download size of package updates * d/rules - remove trusty specific code - remove ua-license-check.{timer,service,path} - install ubuntu-advantage.service - only on xenial: install ubuntu-advantage-cloud-id-shim.service * d/tools.preinst: remove old config field to avoid warnings in logs * d/tools.postinst - remove trusty specific code - print warnings if /etc/os-release doesn't have required fields - hardcode service list instead of exec-ing python3 for old migration - refactor python to avoid instantiating UAConfig extra times - refactor python to always use messages module for strings - rm the old marker file that triggered ua-license-check.path - remove unnecessary deb-systemd-helper check in ua-messaging cleanup - clean up old ua-license-check state - run new cloud-id-shim script * d/tools/postrm - clean up ubuntu-advantage-daemon log files * New upstream release 27.9 (LP: #1973099) - cli: + for json formatted output, include additional_info for some errors + new subcommand `ua refresh messages` to update motd and apt messages - daemon: + replace ua-license-check timer with ubuntu-advantage.service daemon + detects on-boot if pro license was added and runs auto-attach + only runs on gcp and does not continuously long-poll by default for now - enable: + fix error message on wrong service name when unattached - fips: + allow enabling generic fips kernel on azure by default + clean up fips reboot message (LP: #1972026) - fix: + handle errors during attach process + fix bug where enable or detach during a fix failed (LP: #1969809) + fix bug where attempting to fix some CVEs would never finish - performance: + remove unnecessary UAConfig object instantiation (also cleans up logs) + cache "apt-cache policy" output to avoid unnecessary subp calls - proxy: + apt_http(s)_proxy renamed to global_apt_http(s)_proxy + apt_http(s)_proxy config var names will still work + new ua_apt_http(s)_proxy for only ua-related apt traffic (LP: #1956764) + global_apt_http(s)_proxy and ua_apt_http(s)_proxy cannot be set at the same time - realtime: adjust warning to clarify that a manual revert is possible - refresh: a normal `ua refresh` will also update motd and apt messages - security-status: add counts of packages from each archive component - status: check if contract has updated and notify user to run "ua refresh" * New upstream release 27.8 (LP: #1969125) - entitlements: apply overrides from the contract response - fips: + unhold fips packages when enabling fips-updates + Automatically disable fips service before enabling fips-updates + unhold more packages when enabling fips - lib: fix upgrade script for unsupported releases (LP: #1968067) - realtime: add support for realtime kernel beta service on Jammy * fips: - make fips service incompatible with fips-updates - unhold more packages when enabling fips * d/changelog: - fix changelog trailer line for 27.4.1 * d/logrotate: - make new logs world readable * d/tools.postinst: - refactor to catch exception from entitlement_factory - no longer always set log file to only root readable - when creating log file for the first time, make world readable - adapt postinst for new messages module * New upstream release 27.7 (LP: #1964028) - attach: --attach-config option for customizing auto-enabled services and supplying token via a file - auto-attach: fix bug where auto-attach caused a manually attached machine to detach - cli: + support --format=json for attach + support --format=json for detach + support --format=json for enable + support --format=json for disable - contract: include activity info when updating contract - detach: no longer contacts contract server on detach - fips: allow fips on containers - fix: support USNs that don't have related CVEs - logs: make all newly created logs world-readable - security-status: + show already installed esm package counts + include APT origin for each potential update + bump schema version to "0.1" + remove previously required --beta flag - status: + include blocked_by information in service status when format=json + --simulate-with-token now reports expired tokens as errors + --simulate-with-token now returns errors in the specified format * New upstream release 27.6 (LP: #1958556) - cli: only request available resources from contract server when needed - fips: + allow enabling FIPS on focal clouds + update prompt messages - jobs: disable license-check job on GCP after attach - message: fix how apt and motd messages are updated after ua commands * d/control: - Update homepage URL * d/tools.postinst: - Refactor to use valid_services * d/tools.postrm: - Use a wildcard to remove ua related gpg files * New upstream release 27.5 (LP: #1956456) - aws: add support for the IPv6 metadata endpoint - cis: update URL for the documentation - cli: + add endpoint to simulate the status using a specific contract token + fix return code when attaching an already attached machine (GH: #1867) + fix security-status to consider all possible origins to show updates + include cloud build.info in the collect-logs tarball + only show services which exist in the contracts server in ua status - docs: fix typos and wrong/outdated information - livepatch: always use the full path in livepatch calls (LP: #1951954) - logs: + improve rules to redact sensitive information from all log files + redact sensitive information from older unredacted log files + log errors from external software execution, for debugging purposes - usg: + support the presentedAs affordance from the contract server, showing services in the CLI with the appropriate names + replace the CIS entitlement by USG on Focal and onwards * d/tools.postinst: - Fix check_service_is_enabled function when the machine is unattached (LP: #1951705) * jobs: do not run the status job for unattached users * d/rules: - Remove conftest file from the package * d/tools.postinst: - hardcode python binary to run python scripts (LP: #1930121) - undo unnecessary log file creation * d/tools.prerm: - hardcode python binary to run python scripts (LP: #1930121) * New upstream release 27.4 (LP: #1949634) - cc-eal: remove beta flag - cli: + attach will save machine-id during operation + detach won't ask unnecessary questions + new security-status subcommand lists potentially available security and ESM updates (beta) - fix: + exit 0 when fix is successfully applied and completed + exit 1 when fix cannot be applied + exit 2 when fix requires a reboot to complete + check reboot-required.pkgs for better reboot suggestions - livepatch: allow livepatch and fips-updates at the same time - metering: + update how activity info is parsed + update contract response structure + enable job by default - proxy: no_proxy defaults for link-local IMDS routes - util: + cache get_platform_info calls + fix machine-id fallback path on get_machine_id * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests * d/tools.postinst: - Do not fail in postinst if cloud-init did not run. This fixes the regression introduced in 27.2.1. (LP: #1936833) * d/control: - remove unnecessary distro-info dependency from build-depends * d/rules: - pick right version of distro-info based on release * docs: + add information about proxy auth to manpage and readme * lib: + handle missing configStatus key in patch status json script * d/control: - add comments to explain complex build-depends - add version requirement to distro-info (LP: #1932028) * d/tools.postinst: - run status.json schema patch script to avoid non-root status errors * New upstream release 27.2: - attach: print contract server reason for 403 (GH: #1630) - cli: add ua config set, unset and show subcommands - config: + add default ua_config setting values + only allow some fields to be set by envvar + use defaults for contract and security url - docs: + add proxy config options to man page + add instructions to generate MOTD messages + add support matrix info + remove broken api link - enable: allow downgrading packages during enable (GH: #1659) - fips: + add focal test for fips-updates + alert if wrong fips package installed on gov clouds + install correct fips package on gov clouds + only install conditional_packages if necessary and available - logs: log env vars that affect config on cli runs - proxy: + add config options to set proxies + print message when setting proxy + support configuring apt proxies + support configuring snap and livepatch proxies + support setting proxy for web requests + validate urls before setting as proxies - refresh: support refreshing config and contract separately - status + add config info to json output + add env vars to json output + do not show unavailable services in json output + support yaml format with same content as json format + update account info in json output + update contract info in json output + update root level keys of json output - refactor: + remove side effects from can_enable (GH: #1654, #1571) + use DatetimeAwareJSONDecoder to parse date strings - tests: + add additional enable test for incompatible services + add flag to enable proposed pocket + add test to check and print version being tested + drop trusty specific tests * Cherrypick upstream pr #1681 to unbreak many migrations. LP: #1930741 * d/control: - specify debianutils min version * d/changelog: - fix lintian typos amend and redact incorrect 27.0 entry (GH: #1624) * lintian: - override ubuntu-advantage-pro wanted-by-target cloud-init - override xenial specific errors - rename package-specific overrides for pro vs tools * New upstream release 27.1: - apt-hook: + avoid segfault when comparing null Apt file origin to esm (LP: #1929123) + avoid wrapping static message formats at 80 chars + update go build flags based on lintian warnings (GH: #1626) + only add newlines for MOTD if message file length is non-zero - attach: do not print contract name if empty - autocomplete: Do not show beta services in autocomplete (GH: #1594) - cis: + make service non-beta + post enable message pointing to docs + update cis help url - docs: update releases.md per SRU review feedback on branch structuring - enable: correct messaging for beta service (GH: #1588) - errors: print a more helpful message when ssl fails (GH: #1618) - fips: + Block enabling fips if fips-updates once enabled (GH: #1600) + Update output of fips commands (GH: #1631) - livepatch: alert when snapd does not have wait cmd (LP: #1927329) - logging: remove tracebacks for UserFacingErrors (GH: #1586) - messaging: + Infra and Apps messaging is mutually exclusive (GH: #1573) + point to u.com/16-04 instead of u.com/advantage on ESM (GH: #1584) + separate _remove_msg_template. emit no warranty on infra disabled - pro: obtain AWS IMDSv2 API token before trying to grab pkcs7 doc (GH: #1608) - status: do not show info if not on contract (GH: #1592) - tests: + drop trusty specific tests + fix mock for handle_message_operations + fix motd message for bionic (GH: #1615) + integration tests for hirsute and groovy + manual test for trusty upgrade to xenial + reboot after dist-upgrade for upgrade test + test enabling CIS on focal (GH: #1582) + update messages in integration tests (GH: #1635) + use proposed pocket on xenial upgrade test - jenkins: + add pytest runs for xenial and bionic + run focal lxd integration tests * d/control: - order build-depends alternatives newer first (LP: #1926949) - apt-hook: do not attempt to package go APT JSON hook on some architectures (GH: #1603) (LP: #1927886, LP: #1927795) * Bug-fix release 27.0.2: build failures on riscv64 and powerpc - apt-hook: refactor json hook messaging to be dry - tests: fix subp ls error case for powerpc builds - jenkinsfile: add --resolve-alternatives for trusty builds - amend changelog: add omitted apt-hook message for 27.0.1 stanza * Add .gitignore and cleanup ignored directory .pytest_cache * apt-hook: mitigate failures with true * New upstream release 27.0: - [redacted: actually landed in 27.0.1] apt-hook: mitigate failures with true - messages: add optional (s) to apt messaging to include singular/plural pkgs - apt-hook: avoid reporting and counting duplicate package names (GH: #1578) - fix: don't say reboot required when unnecessary (LP: #1926183) - test: uncomment additional xenial upgrade tests * New upstream beta3 release: - config: avoid tracebacks on invalid features value in uaclient.conf (GH: #1564) - apt-hook: new json hook for security update counts - Remove redundant messaging from uaclient * d/control: - add distro-info dependency - add new debianutils dependency - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute and later when dh-systemd is not present * d/rules: enable and start ua-messaging.timer on package install * d/postinst: - configure esm on any LTS release avoid beta services - configure esm-infra when is_active_esm and apps on LTS - xenial enable unauthenticated apt source for apps/infra * New upstream release 27.0~beta: - apt-hook: + adapt hook to process separate message templates + esm-apps and esm-infra pkg counts not mutually-exclusive + print static messages on apt upgrade/dist-upgrade (GH: #1546) - config: create settings_overrides on config (GH: #1507) - docs: add entry for uploading new version to ppa - esm: + add pin never when disabling esm-infra/apps on xenial + enable infra when EOL LTS and apps on all LTS (GH: #1558) - fips: add notice when installing over old fips - fix: + add links to ubuntu.com/gcp/aws in messaging when on non-PRO + add notice to reboot operation on ua fix + do not prompt user for beta services (GH: #1544) + notify users if reboot is required (GH: #1476) + update how the expired token logic works + wrap output greater than 80 chars (GH: #1487) - lib: fix notice handling on reboot script - messages + provide static message files for use in APT and MOTD + update_ua_messages on attach/detach/disable - mypy: add lib/ dir for coverage - status: do not remove notices on non-root call (GH: #1518) - subp: separate % format strings when logging (GH: #1520) - systemd: add ua-messaging.timer to update ua MOTD and APT msgs - update-motd.d: add conditional hooks for motd to source ua messages - util: add is_lts and is_active_esm funtions to support ESM - test + add integration tests asserting esm-apps setup due to postinst + manual test script for xenial upgrade + trusty and xenial infra and apps disabled in pkg install - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA - jenkins: make lint and style stage run sequentially * d/*: prefix all the debhelper conf files with the package name * d/control: - add Rules-Requires-Root: no - bump Standards-Version to 4.5.1 - make ubuntu-advantage-pro Architecture: all * d/lintian-overrides: - override maintainer-script-calls-service - package-supports-alternative-init-but-no-init.d-script * d/postinst: move the u-a-pro note to a config script * d/ubuntu-advantage-tools.templates: suggest the use of apt * New upstream release 27.0~beta: - apt: add retry for apt-helper command (GH: #1431) - cli: drop subcommand repeated help output, fix enable & refresh (GH: #1440) - config: + allow parsing yaml delivered from env values + environment variable support for feature overrides (GH: #1395) + create config to add extra params to security url - docs: + add ppas and fix typos + use Ubuntu Pro not Ubuntu PRO + add stop "." punctuation to messages (GH: #1320) - fips: fix FIPS message when disable operation fails - fix: + add basic UASecurityClient to which queries CVE and USNs + add security_url to config + check if service is enabled during ua fix (GH: #1462) + closer representation of cve and usn responses + filter usns by cve details (GH: #1470) + fix regex to be more permissive and strict + get_cve_affected_source_packages_status won't list not-affected (GH: #1467) + handle other package status when running ua fix (GH: #1435) + improve error message for ua fix (GH: #1420) + install pkg fixes when they are on standard pocket (GH: #1401) + move timeout and retries to security client only + only prompt for subscription attach for UA-related pkg updates + parse all related USNS to a given CVE when fixing + parse full API responses for related CVEs and USNs + prefer USN.release_packages binary pkg versions to CVE src ver (GH: #1436) + prompt for new ua token when expired one is used (GH: #1475) + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386) + prompt to enable service during ua fix (GH: #1455) + provide related CVE URLs instead of USNs (GH: #1456) + raise errors when source_link is null or unexpected format + show packages that were not fixed in the output + update output for released packages in ua fix (GH: #1438) + update message for invalid issue in ua fix (GH: #1433) + use pocket values from USNs (GH: #1439) - logs: emit error response on API errors and redact sensitive logs (GH: #1424) - serviceclient: add 10 second timeout and two retries to API calls (GH: #1374) - util: + add error prompts on invalid selection + add timeout to readurl - tests: + Add disable_auto_attach config to all test PRO vms + add merge_usn_released_binary_package_versions tests + add unittest coverage for override_usn_release_package_status + drop traceback checks on fips integration tests + refactor integration tests for ua fix cmd + run status wait before detach in PRO tests + use ssh to run commands on lxd containers - jenkins: archiveArtifacts can only reference paths within workspace * d/control: add new debianutils dependency * New upstream release 26.3 - util: improve is_container check for chroot - cli: pass assume_yes param to services on detach (GH: #1530) * Drop dh-systemd build dependency. * status: show beta services in status if enabled (GH: #1410) * New upstream release 26.1 - contract: block detach call to contract if machine-id change - docs: add readme docs about mastering clean golden images - fips: add reboot notices for fips operations (GH: #1368) - livepatch: add retry when running canonical-livepatch status (GH: #1360) - util: use lru_cache to avoid re-reading os-release and machine-id (GH: #1329) - tests: + add disable_auto_attach config to all test PRO vms + add more log artifacts during failed integration test + check cloudinit status after launching image + mock leaking livepatch.application_status for fips test + retry package installs on apt exit 100 - jenkins: parameterize build stages to avoid parallel job collision * auto-attach: fix comparing numeric iid * New upstream release 26.0: - auto-attach: systemd unit to run before ua-reboot-cmds.service - config: remove_notice should remove notices.json when empty - fips: + add notice if running a deactivated FIPS kernel (GH: #1348) + block enabling FIPS on clouds using Xenial + block enabling fips on GCP instances + check /proc/sys/crypto/fips_enable to see if fips is enabled + override fips metapackage when on bionic cloud + update metapackage override logic on fips - notices: clear lock file and notice when encountering any exception (GH: #1326) - reboot_cmds: retry on lock held errors due to pro auto-attach - services: allow uaclient to disable services during enable - status: include beta services in json formatted output with --all (GH: #1341) - tests: + add FIPS tests to AWS and Azure bionic images + add GCP pro test for focal machine + add after_step collection of artifacts on failure + remove proc file check after disabling fips + pro: block auto-attach with cloud-config bootcmd + add validation of systemd unit ua-reboot-cmds.service + test enabling fips-updates when fips is enabled - jenkins: - add deb build stage to assert package builds - use series-specific sbuild --build-dir avoid races - use --append-to-version for each sbuild run to avoid races - presume success when no integration artifacts created * d/rules: - add --with systemd to allow reboot init script - do not remove lib/systemd/system folder * d/postinst: - create marker file when reboot script need to run: - enable livepatch across trusty to xenial upgrade - update fips on existing fips pro machines * New upstream release 26.0~beta: - gcp: add Google Cloud Platform support (GH #1269) - fips: + remove is_beta from fips sevices + fips pro: add upgrade support to require reboot to unmark held fips pkgs + update origin UbuntuFIPSUpdates - status: + add notice to tabular output + held locks emit notice about Operation in progress - cli: help sort output so trusty ordering matches xenial++ - cis: rename service from cis-audit - config: provide config notices and add_notice and remove_notice methods - contract: add resource-machine-access route and datapath - init: add init script to run commands on reboot - keys: add ubuntu-advantage-cis keyring - livepatch: make livepatch react to enableByDefault delta - log: log when we install pkgs because of contract delta - make: drop six testdeps target - pro: do not install pro debs on non-pro instances - services: Update beta info for services (GH #1220) - tools: add tox-lxd-runner, that execute the test command in a shell - tools: refresh-keyrings handles cis keys. drop series-specific keys - tests: + add GCE support for integration tests + add cis integration tests for unattached and pro + add pytest constraint for mypy tests + add unittests for reboot_cmds script + fix esm package messages for new update notifier version + pin importlib-metadata for mypy tests + repo tests for request_resource_machine_access + unit tests for config cache clearing and machine-access data - jenkins: + add basic Jenkinsfile for CI runs per PR + add jenkins parseable test results + add lxc cleanup stage on Jenkinsfile * Release version 25.0 * New upstream release 25.0~beta3: - upgrade-lts-conract: noop during do-release-upgrade on unattached (GH: #1255) - ua-auto-attach: order systemd unit before cloud-config.service - Update FIPSUpdates pin origin - fips: unmark held fips packages for ubuntu pro fips image support (GH: #1109) - repo: handle changes to additionalPackages contract deltas - repo: move package installation to install_packages method - pro: trigger auto-attach as soon as instance-data.json is available (GH: #1234) - Conditionally install packages when enabling FIPS - fips: allow disable (GH: #1168) - cli: add trailing newline to argparse errors (GH: #1236) - Install fips metapacking when enabling service - integration test improvements: + upgrade-test: fix upgrade path restart failures on trusty (GH: #1257) + Fix integration test setup scripts (GH: #1253) + strict checking for command success on behave + Update tests to use new pycloudlib LXD abstraction + Add upgrade scenario tests when FIPS is enabled + Improve FIPS tests for checking packages + Update esm-infra xenial lxd test + Fix vm tests as esm-apps is beta service + Fix azure generic integration testing + Update esm-apps check on staging_commands tests + Install pycloudlib for azure jobs only + Fix shell condition in run_azure_travis_integration_tests.sh + Update azure jobs on travis + Update travis url in README + Update travis scripts to use ppa only on master + Fix cron event type check on travis yaml * New upstream release 25.0~beta2: - help: update esm-infra help text (GH: #1212) - apt-hook: update apt cli messaging for UA Infra: ESM and UA Apps: ESM product names - help: update fips help docs (GH: #1213) - help: revert CIS help doc URL (GH: #1211) - help: add new fips help URLs to CLI help docs (GH: #1210) - Show error when enabling service with invalid repo [Lucas Moura] (GH: #954) - Update beta info for services (#1220) [Lucas Moura] (GH: #1216) - Do not enable fips when fips-updates is active [Lucas Moura] (GH: #1209) - Add vm test commands in tox.ini (#1204) [Lucas Moura] * Beta bug fix release - status: fix missing description_override key after upgrade from trusty (GH: #1201) - During contract delta processing use _check_application_status_on_cache instead of live service status * d/control: - add po-debconf dependency and fix lintian not-using-po-debconf and untranslatable-debconf-templates - add ${misc:Depends} dep to ubuntu-advantage-pro to fix lintian debhelper-but-no-misc-depends (GH: #1024) * d/rules: - drop --with systemd fix build-depends-on-obsolete-package - set fix lintian warning extra:Depends even if empty * d/postrm - Add more gpg keys to be deleted in postrm for Xenial+ support * d/postinst: - do not unconfigure non-trusty esm. no series in apt filenames (GH: #1170) - check if esm is already enabled (GH: #1095) * New upstream release 25.0: - Do not uninstall additionalPackages or livepatch when disabling services - check for issubclass on clean_apt_files - Add do-release-upgrade support for esm-infra and apps suites (GH: #1169) - Apply contract deltas during do-release-upgrade operations - cli: add ua help command - cli: status add blocking --wait param and lock files for config change - Fix livepatch behaviour on aws pro focal machine - travis: drop inapplicable workspaces from specific awsgeneric release jobs - Add possible reboot text after enabling/disabling services - apt-hook: package apt-hook and apt configuration files on all releases (GH: #1150) - Fix enable fail bug - Add uaclient.conf override mechanism for auto-attach, beta services and machine-token - Support ESM Apps [Brian Murray] (GH: #930) - Do not enable services if blocking services is active (GH: #1029) - contract: handle 401 on invalid token, 403 on expired (GH: #1335) - Hide beta services from default status output and enable/disable operations (GH: #1079) (GH: #1091) - fips: force apt noninteractive prompts during package installs (GH: #1084) - tests: add unit tests for aws-gov/aws-china cloud detection - Add AWS China and GovCloud partitions [Robert Jennings] - Disable beta services to be show/enabled without flag - Add missing build_pr command to environment - Use additionalPackages from service payload - Add integration testing for Travis runs [patriciadomin] (GH: #856) (GH: #857) (GH: #853) * New bug-fix-only release 24.4: - uaclient.version bump to 24.4 - fips: honor additionalPackage directive from contract for bionic (GH #1173) * New bug-fix-only release 24.3: - uaclient.version bump to 24.3 - fips: add conditional reboot message only if /var/run/reboot-required is present - fips: add apt repo key for FIPS and FIPS updates (GH #1026) * New bug-fix-only release 24.2: - uaclient.version bump to 24.2 - pro: Add AWS China and GovCloud partitions support (GH #1077) * New bug-fix-only release 24.1: - livepatch: run snap wait system snap.seeded before trying to install (GH: #1049) - version: return debian/changelog version when git describe fails to match upstream . tags for git-ubuntu workflow (GH: #1058) * bump version to 24.0 for new versioninig scheme * New upstream release 20.3: - ubuntu-pro: automatically reattach across instance id delta (LP: #1867573) - integration testing: + add behave tests ua subcommands for attached vm + add invalid token tests + add reuse_container test docs + refactor token parameter * d/templates: add a debconf note on upgrade from pre-ubuntu pro package * d/control: create a separate ubuntu-advantage-pro package which delivers the tooling and scripts necessary to auto-attach pro machines This change breaks/replaces ubuntu-advantage-tools <= 20.1 * d/maintscript: rm_conffile /etc/init/ua-auto-attach.conf from ua-tools pkg * d/postint: remove stale systemd symlinks which have migrated to ubuntu-pro * d/rules: only install the apt hook on trusty * d/rules: provide --no-start to debhelper to avoid auto-attach on pkg install * Release 20.2: - ubuntu-pro: + azure: fix detection of DatasourceAzureNet as azure on trusty + generalize identity_doc to return dict instead of string + auto-attach: any 4XX errors during auto-attach are the result of non-Pro + auto-attach: handle 403 errors raised by contract server for invalid vms - attach: persist any status config changes after attach failures - output: add messaging using a different subscription if attached * Release 20.1: - azure-pro, support for azure ubuntu pro auto-attach: + add azure auto-attach instance as valid cloud_instance_factory + add azure cloud instance module and tests + generalize request_aws_contract_token for multiple cloud_types + contract: request_auto_attach_contract_token takes an instance param - constraints: add constraint on pyyaml version in trusty - auto-attach: move duplicate invalid cloud_type check out of cli * d/postinst: only configure ESM on supported architectures (LP: #1851858) [Andreas Hasenack] * d/postinst: rename existing ubuntu-esm-precise.list file to trusty. This fixes the upgrade path from precise to trusty and to this client while esm is enabled (LP: #1850672) * Release 19.7: - aws: handle missing SYS_HYPERVISOR_PRODUCT_UUID - aws-pro: support for aws ubuntu pro auto-attach - pro: add cloud identity module and fix unit tests - pro: update systemd service and upstart boot scripts to auto-attach - pro: esm do not do apt pin never on disable on xenial or bionic - pro: esm-apps has origin UbuntuESMApps and esm-infra is UbuntuESM - status: dynamic status available now from refreshed machine-token - uaclient: update customer visible messages after UX review - esm-apps: allow unattended security upgrades for esm-apps - systemd: needs WantedBy=multi-user.target to get pulled into boot - cli: update docstring to describe errors raised from auto-attach - keyrings: update ubuntu-advantage-esm-apps.gpg with correct key - repo: match strict repo url in apt-policy to avoid esm substring matches - esm: don't disable_apt_auth_only for ESM entitlements - initial implementation of esm-apps - repo: don't raise exception in application_status if aptURL missing - entitlements: rely solely on contract server for repo_url - cli: exit 0 if already attached - cli: use decorators for action_attach and action_attach_premium - cli: add assert_not_attached decorator - status: custom descriptions for n/a service status * New upstream release. Main changes: - drop SSO interactive login support - d/control: no longer depend on pymacaroons, which was only needed for the SSO interactive login support - drop keyrings for services not supported in trusty: cc-eal, fips, fips-updates, cis audit - make sure /var/lib/ubuntu-advantage/private has 0700 perms - rename esm to esm-infra. Also handle upgrades - don't unecessarily remove config files that are already handled by dpkg - expand the apt related runtime dependencies - handle sources.list.d esm snippet when release upgrading from precise - ua status now reports availability of services even in unattached state - the "ua status" output was changed, including the json format option - drop "ua status" call in postinst as it now requires internet access and that is restricted in LP builders and test runners. - fix the d/t/usage DEP8 test that was also using status * d/t/usage: fix dep8 test ("entitlements" was renamed to "services") * New upstream release (LP: #1832757): - packaging: + d/control: depend on libapt-pkg to use pin-priority never + d/postinst: adjust logfile permissions + d/postinst: remove public files and generate status cache on upgrade + d/postinst: Remove the old CACHE_DIR in postinst + d/postrm: remove log files on package purge + d/postrm: remove the ESM pinning file on purge + trusty should remove v1 esm key if present after upgrade + keyrings: regenerate keyrings on a trusty host + refresh keyrings to match current production for fips and cc-eal - apt: + all repo entitlements now call apt-get update on enable + enable -updates if -updates from the Ubuntu archive is enabled + Add basic i18n (good enough for lang packs) + retry apt install and update commands 3 times simple backoff + write commented -updates lines instead of omitting them - attach/detach: + added --no-auto-enable option + suppress messages from inapplicable default entitlements + two-factor auth reprompt only two-factor auth on failed 2fa + honour enableByDefault obligations from contract server + livepatch: no auto-enable on attach for trusty + don't attempt to disable inapplicable entitlements during detach + check for root before checking for attach in assert_attached_root - status: + add --json cli formatting option + emit a SERVICE header in status output + redact technical support and expiry for free contracts + unentitled services will report n/a - cc-eal: + add a warning about download size before install + change cc to cc-eal in docs, parameters and commandline help - esm: + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive + and livepatch auto enabled on attach where supported + on upgrade do not install preferences to pin never if esm enabled + remove only the apt auth entry on disable, leaving sources.list + use Pin-Priority never apt preference file to disable esm initially - fips: + display as pending when linux-fips is not the running kernel + only install/upgrade optional packages that are already on the system - logs: + no longer redact secrets as logfile is root read-only + separate console log devel from logfile level + remove level from messages to the console - add subcommand to refresh all contract details - config: allow contract_url and sso_auth_url to have a trailing slash - docker: fix persisting generated uuid on images without machine-id files - environ: allow lowercase ua_ overrides - repo: un-comment ESM sources.list lines on repo disable - updated manpage and help docs * apt-hook: Add missing headers for APT 1.9 * Drop the self-test assert in the apt-hook, it's making the subiquity server install fail (LP: #1824523) * apt-hook: Do not crash/fail if we can't read /proc/self/status (LP: #1824523) * Ubuntu Advantage Tools rewrite in Python (LP: #1814157): - Allow attaching a system to a contract or account - More complete status output, dropping MOTD updates - Easily enable and disable services offered * Have ua status cope with the additional livepatch of running a kernel that is not supported for livepatches. * Have an option for enable-livepatch to install a compatible kernel if needed. [ Vineetha Kamath ] * Add support to common criteria EAL2 artifacts installation #144 * New upstream release - added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified. * d/t/update-motd-run: fix path to the esm motd (LP: #1757490) * Rename motd scripts so they are shown a bit earlier (LP: #1757171) * Move empty line placement in the livepatch motd to the beginning of the message to avoid double blank lines. * New upstream release: - repositories are only added after credentials are verified (LP: #1730361) - Livepatch MOTD script (LP: #1710976) - better "status" command output formatting (LP: #1719034) - sources.list.d files no longer contain credentials. The "auth.conf" facility is used instead. (LP: #1700611) - enabled Livepatch support for Bionic 18.04 LTS * New upstream release: - run tests during package build * New upstream release: - revert the latest name changes - instead of "advantage", add a "ua" symlink pointing at the ubuntu-advantage script. Likewise for its manpage. (LP: #1721272) * New upstream release: - rename the ubuntu-advantage script to advantage, including where it's mentioned in the documentation. Also provide symlinks pointing at the previous name. (LP: #1721272) - slightly reword some of the FIPS messages * New upstream release with FIPS support (LP: #1718291) * New upstream release: - call apt-get with the non-interactive frontend variable set, and tell dpkg to keep the old config file by default should there be any prompts about that. (LP: #1715012) - split the one big test file into multiple smaller files, for better maintainability. * Release to artful (LP: #1711369) * d/control: update package description * New release version 6. Main changes: - document return codes on the manpage (Fixes: #33) - new status command (Fixes: #40) - restrict esm to precise only (Fixes: #43) - drop the livepatch motd update, only esm has motd output now (Fixes: #44) - skip tests during package building (Fixes #49) * Only display apt output in the case of errors (Fixes #34). * Check running kernel version before enabling the Livepatch service (Fixes #30). * Add livepatch support: - New commands: + enable-livepatch + disable-livepatch + is-livepatch-enabled - new tests - new manpage - new help output - new README.md - new MOTD * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet on non-precise release. (LP: #1686183) * Add simple dep8 tests. * Also install ca-certificates (LP: #1690270) * Initial Release. LP: #1686183 ==== update-notifier: 3.192.54.5 => 3.192.54.6 ==== ==== update-notifier-common * Isolate creation of the esm apt cache in apt-check (LP: #2008212) ==== vim: 2:8.2.3995-1ubuntu2.3 => 2:8.2.3995-1ubuntu2.4 ==== ==== vim vim-common vim-runtime vim-tiny xxd * SECURITY UPDATE: NULL pointer dereference when creating blank mouse pointer - debian/patches/CVE-2022-47024.patch: only use the return value of XChangeGC() when it is not NULL. - CVE-2022-47024 * SECURITY UPDATE: invalid memory access with bad 'statusline' value - debian/patches/CVE-2023-0049.patch: avoid going over the NULL at the end of a statusline. - CVE-2023-0049 * SECURITY UPDATE: invalid memory access with recursive substitute expression - debian/patches/CVE-2023-0054.patch: check the return value of vim_regsub(). - CVE-2023-0054 * SECURITY UPDATE: invalid memory access with folding and using "L" - debian/patches/CVE-2023-0288.patch: prevent the cursor from moving to line zero. - CVE-2023-0288 * SECURITY UPDATE: reading past the end of a line when formatting text - debian/patches/CVE-2023-0433.patch: check for not going over the end of the line. - CVE-2023-0433 * SECURITY UPDATE: heap based buffer overflow vulnerability - debian/patches/CVE-2023-0051.patch: reading beyond text - debian/patches/CVE-2023-1170.patch: accessing invalid memory with put in Visual block mode - CVE-2023-0051 - CVE-2023-1170 * SECURITY UPDATE: incorrect calculation of buffer size - debian/patches/CVE-2023-1175.patch: illegal memory access when using virtual editing - CVE-2023-1175 * SECURITY UPDATE: NULL pointer dereference vulnerability - debian/patches/CVE-2023-1264.patch: using NULL pointer with nested :open command - CVE-2023-1264 -- [1] http://cloud-images.ubuntu.com/releases/jammy/release-20230401/ [2] http://cloud-images.ubuntu.com/releases/jammy/release-20230302/