A new release of the Ubuntu Cloud Images for stable Ubuntu release 18.04 LTS (Bionic Beaver) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * cloud-init: 20.4.1-0ubuntu1~18.04.1 => 21.1-19-gbad84ad4-0ubuntu1~18.04.1 * libseccomp: 2.4.3-1ubuntu3.18.04.3 => 2.5.1-1ubuntu1~18.04.1 * linux-meta: 4.15.0.141.128 => 4.15.0.142.129 * linux-signed: 4.15.0-141.145 => 4.15.0-142.146 * nettle: 3.4-1 => 3.4-1ubuntu0.1 * sosreport: 3.9.1-1ubuntu0.18.04.3 => 4.1-1ubuntu0.18.04.1 * systemd: 237-3ubuntu10.45 => 237-3ubuntu10.46 The following is a complete changelog for this image. new: {'linux-modules-4.15.0-142-generic': '4.15.0-142.146', 'python3-ptyprocess': '0.5.2-1', 'python3-pexpect': '4.2.1-1', 'linux-headers-4.15.0-142-generic': '4.15.0-142.146', 'linux-headers-4.15.0-142': '4.15.0-142.146'} removed: {'linux-modules-4.15.0-141-generic': '4.15.0-141.145', 'linux-headers-4.15.0-141': '4.15.0-141.145', 'linux-headers-4.15.0-141-generic': '4.15.0-141.145'} changed: ['cloud-init', 'libhogweed4:amd64', 'libnettle6:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libseccomp2:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.15.0-142-generic', 'linux-image-virtual', 'linux-virtual', 'sosreport', 'systemd', 'systemd-sysv', 'udev'] new snaps: {} removed snaps: {} changed snaps: [] ==== cloud-init: 20.4.1-0ubuntu1~18.04.1 => 21.1-19-gbad84ad4-0ubuntu1~18.04.1 ==== ==== cloud-init * d/cloud-init.postinst: Change output log permissions on upgrade (LP: #1918303) * d/cloud-init.manpages: include upstream manpages in package (LP: #1908548) * drop the following cherry-picks now included: + cpick-4f62ae8d-Fix-regression-with-handling-of-IMDS-ssh-keys-760 * refresh patches: + debian/patches/openstack-no-network-config.patch * New upstream snapshot. (LP: #1920272) - .travis.yml: generate an SSH key before running tests (#848) - write passwords only to serial console, lock down cloud-init-output.log (#847) - Fix apt default integration test (#845) - integration_tests: bump pycloudlib dependency (#846) - commit f35181fa970453ba6c7c14575b12185533391b97 [eb3095] - archlinux: Fix broken locale logic (#841) [Kristian Klausen] - Integration test for #783 (#832) - integration_tests: mount more paths IN_PLACE (#838) - Fix requiring device-number on EC2 derivatives (#836) - Remove the vi comment from the part-handler example (#835) - net: exclude OVS internal interfaces in get_interfaces (#829) - tox.ini: pass OS_* environment variables to integration tests (#830) - integration_tests: add OpenStack as a platform (#804) - Add flexibility to IMDS api-version (#793) [Thomas Stringer] - Fix the TestApt tests using apt-key on Xenial and Hirsute (#823) [Paride Legovini] - doc: remove duplicate "it" from nocloud.rst (#825) [V.I. Wood] - archlinux: Use hostnamectl to set the transient hostname (#797) [Kristian Klausen] - cc_keys_to_console.py: Add documentation for recently added config key (#824) [dermotbradley] - Update cc_set_hostname documentation (#818) [Toshi Aoyama] - Release 21.1 (#820) - Azure: Support for VMs without ephemeral resource disks. (#800) [Johnson Shi] - cc_keys_to_console: add option to disable key emission (#811) [Michael Hudson-Doyle] - integration_tests: introduce lxd_use_exec mark (#802) - azure: case-insensitive UUID to avoid new IID during kernel upgrade (#798) - stale.yml: don't ask submitters to reopen PRs (#816) - integration_tests: fix use of SSH agent within tox (#815) - integration_tests: add UPGRADE CloudInitSource (#812) - integration_tests: use unique MAC addresses for tests (#813) - Update .gitignore (#814) - Port apt cloud_tests to integration tests (#808) - integration_tests: fix test_gh626 on LXD VMs (#809) - Fix attempting to decode binary data in test_seed_random_data test (#806) - Remove wait argument from tests with session_cloud calls (#805) - Datasource for UpCloud (#743) [Antti Myyr] - test_gh668: fix failure on LXD VMs (#801) - openstack: read the dynamic metadata group vendor_data2.json (#777) [Andrew Bogott] - includedir in suoders can be prefixed by "arroba" (#783) [Jordi Massaguer Pla] - Merge upstream/20.4.1 into master - [VMware] change default max wait time to 15s (#774) [xiaofengw-vmware] - Revert integration test associated with reverted #586 (#784) - Add jordimassaguerpla as contributor (#787) [Jordi Massaguer Pla] - Add Rick Harding to CLA signers (#792) [Rick Harding] - HACKING.rst: add clarifying note to LP CLA process section (#789) - Stop linting cloud_tests (#791) - cloud-tests: update cryptography requirement (#790) [Joshua Powers] - Remove 'remove-raise-on-failure' calls from integration_tests (#788) - Use more cloud defaults in integration tests (#757) - Adding self to cla signers (#776) [Andrew Bogott] - doc: avoid two warnings (#781) [Dan Kenigsberg] - Use proper spelling for Red Hat (#778) [Dan Kenigsberg] - Add antonyc to .github-cla-signers (#747) [Anton Chaporgin] - integration_tests: log image serial if available (#772) - Revert "ssh_util: handle non-default AuthorizedKeysFile config (#586)" (#775) - [VMware] Support cloudinit raw data feature (#691) [xiaofengw-vmware] - net: Fix static routes to host in eni renderer (#668) [Pavel Abalikhin] - .travis.yml: don't run cloud_tests in CI (#756) - test_upgrade: add some missing commas (#769) - cc_seed_random: update documentation and fix integration test (#771) - Fix test gh-632 test to only run on NoCloud (#770) - archlinux: fix package upgrade command handling (#768) [Bao Trinh] - integration_tests: add integration test for LP:1910835 (#761) - Fix regression with handling of IMDS ssh keys (#760) [Thomas Stringer] - integration_tests: log cloud-init version in SUT (#758) - Add ajmyyra as contributor (#742) [Antti Myyr] - net_convert: add some missing help text (#755) - Missing IPV6_AUTOCONF=no to render sysconfig dhcp6 stateful on RHEL (#753) [Eduardo Otubo] - doc: document missing IPv6 subnet types (#744) [Antti Myyr] - Add example configuration for datasource `AliYun` (#751) [Xiaoyu Zhong] - integration_tests: add SSH key selection settings (#754) - fix a typo in man page cloud-init.1 (#752) [Amy Chen] - network-config-format-v2.rst: add Netplan Passthrough section (#750) - stale: re-enable post holidays (#749) - integration_tests: port ca_certs tests from cloud_tests (#732) - Azure: Add telemetry for poll IMDS (#741) [Johnson Shi] - doc: move testing section from HACKING to its own doc (#739) - No longer allow integration test failures on travis (#738) - stale: fix error in definition (#740) - integration_tests: set log-cli-level to INFO by default (#737) - PULL_REQUEST_TEMPLATE.md: use backticks around commit message (#736) - stale: disable check for holiday break (#735) - integration_tests: log the path we collect logs into (#733) - .travis.yml: add (most) supported Python versions to CI (#734) - integration_tests: fix IN_PLACE CLOUD_INIT_SOURCE (#731) - cc_ca_certs: add RHEL support (#633) [cawamata] - Azure: only generate config for NICs with addresses (#709) [Thomas Stringer] - doc: fix CloudStack configuration example (#707) [Olivier Lemasle] - integration_tests: restrict test_lxd_bridge appropriately (#730) - Add integration tests for CLI functionality (#729) - Integration test for gh-626 (#728) - Some test_upgrade fixes (#726) - Ensure overriding test vars with env vars works for booleans (#727) - integration_tests: port lxd_bridge test from cloud_tests (#718) - Integration test for gh-632. (#725) - Integration test for gh-671 (#724) - integration-requirements.txt: bump pycloudlib commit (#723) - Drop unnecessary shebang from cmd/main.py (#722) [Eduardo Otubo] - Integration test for LP:1813396 and #669 (#719) - integration_tests: include timestamp in log output (#720) - integration_tests: add test for LP:1898997 (#713) - Add integration test for power_state_change module (#717) - Update documentation for network-config-format-v2 (#701) [ggiesen] - sandbox CA Cert tests to not require ca-certificates (#715) [Eduardo Otubo] - Add upgrade integration test (#693) - Integration test for 570 (#712) - Add ability to keep snapshotted images in integration tests (#711) - Integration test for pull #586 (#706) - integration_tests: introduce skipping of tests by OS (#702) - integration_tests: introduce IntegrationInstance.restart (#708) - Add lxd-vm to list of valid integration test platforms (#705) - Adding BOOTPROTO = dhcp to render sysconfig dhcp6 stateful on RHEL (#685) [Eduardo Otubo] - Delete image snapshots created for integration tests (#682) - Parametrize ssh_keys_provided integration test (#700) [lucasmoura] - Drop use_sudo attribute on IntegrationInstance (#694) [lucasmoura] - cc_apt_configure: add riscv64 as a ports arch (#687) [Dimitri John Ledkov] - cla: add xnox (#692) [Dimitri John Ledkov] - Collect logs from integration test runs (#675) ==== libseccomp: 2.4.3-1ubuntu3.18.04.3 => 2.5.1-1ubuntu1~18.04.1 ==== ==== libseccomp2:amd64 * Updated to new upstream 2.5.1 version for updated syscalls support (LP: #1891810) - Removed the following patches that are now included in the new version: + d/p/fix-aarch64-syscalls.patch + d/p/db-consolidate-some-of-the-code-which-adds-rules.patch + d/p/db-add-shadow-transactions.patch - Deleted the patch to add a local copy of architecture specific header files from linux-libc-dev/focal as this is not needed anymore + d/p/add-5.4-local-syscall-headers.patch - debian/control: Added gperf to Build-Depends as this is now required by upstream - debian/libseccomp2.symbols: Added new symbols * Add system call headers for powerpc required for backport to xenial - d/p/add-5.8-powerpc-syscall-headers.patch ==== linux-meta: 4.15.0.141.128 => 4.15.0.142.129 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.15.0-142 ==== linux-signed: 4.15.0-141.145 => 4.15.0-142.146 ==== ==== linux-image-4.15.0-142-generic * Master version: 4.15.0-142.146 ==== nettle: 3.4-1 => 3.4-1ubuntu0.1 ==== ==== libhogweed4:amd64 libnettle6:amd64 * SECURITY UPDATE: Out of Bound memory access in signature verification - debian/patches/CVE-2021-20305-1.patch: new functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical in curve25519-eh-to-x.c, curve448-eh-to-x.c, ecc-eh-to-a.c, ecc-internal.h, ecc-j-to-a.c, ecc-mod-arith.c, ecc-mul-m.c. - debian/patches/CVE-2021-20305-2.patch: use ecc_mod_mul_canonical for point comparison in eddsa-verify.c. - debian/patches/CVE-2021-20305-3.patch: fix bug in ecc_ecdsa_verify in ecc-ecdsa-verify.c, testsuite/ecdsa-sign-test.c. - debian/patches/CVE-2021-20305-4.patch: ensure ecdsa_sign output is canonically reduced in ecc-ecdsa-sign.c. - debian/patches/CVE-2021-20305-6.patch: similar fix for eddsa in eddsa-hash.c. - debian/libhogweed4.symbols: added new symbols. - CVE-2021-20305 ==== sosreport: 3.9.1-1ubuntu0.18.04.3 => 4.1-1ubuntu0.18.04.1 ==== ==== sosreport * New 4.1 upstream minor release. (LP: #1917894) - https://github.com/sosreport/sos/releases/tag/4.1 * d/tests/*: - Remove obsolete scripts * d/tests/simple.sh: - Update the script from upstream to match sos-4.1 - Modify the script to use /tmp as a target, instead of sos default /var/tmp. * d/tests/control: - Adding isolation-machine as simple.sh wants to interact with the kernel. * New config file location now under /etc/sos/sos.conf - The old config (/etc/sos.conf) contents will not be removed nor carried over after update. Users will have to modify the new file instead (as needed). * Former patches, now fixed: - d/p/0001-lshw-command.patch - d/p/0002-lds-substitute-oidc-conf.patch - d/p/0003-kvm-change-trigger-to-dev-kvm.patch - d/p/0004-maas-add-snap-support.patch - d/p/0005-conntrack-add-conntrack-info.patch - d/p/0006-conntrack-gather-per-namespace-data.patch - d/p/0007-networking-include-ns-ip-neigh-and-ip-rule-info.patch * New patches: - d/p/0001-debian-change-tmp-dir-location.patch - d/p/0002-clean-prevent-parsing-ubuntu-user.patch * Fixing the following LP bugs: - (LP: #1910264) - (LP: #1906302) - (LP: #1913284) - (LP: #1913583) - (LP: #1913581) - (LP: #1915072) ==== systemd: 237-3ubuntu10.45 => 237-3ubuntu10.46 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv udev * d/p/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch: Add support for faccessat2 (LP: #1916485) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b5f11a9baecf0cefb503632e938d473234172128 * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch: Stop attempting to restrict address families on ppc archs (LP: #1918696) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4569a047ece8b1b300ef63e49b5aea8aba35c500 * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch: Add openat2() syscall to seccomp filter list (LP: #1891810) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2ddfbfa79af4f22b7adf946c4299433fd74a4f17 -- [1] http://cloud-images.ubuntu.com/releases/bionic/release-20210415/ [2] http://cloud-images.ubuntu.com/releases/bionic/release-20210412/