A new release of the Ubuntu Cloud Images for stable Ubuntu release 18.04 LTS (Bionic Beaver) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with:
   'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'.

The following packages have been updated. Please see the full changelogs
for a complete listing of changes:
 * cron: 3.0pl1-128.1ubuntu1 => 3.0pl1-128.1ubuntu1.1 
 * curl: 7.58.0-2ubuntu3.16 => 7.58.0-2ubuntu3.17 
 * distro-info-data: 0.37ubuntu0.13 => 0.37ubuntu0.14 
 * git: 1:2.17.1-1ubuntu0.10 => 1:2.17.1-1ubuntu0.11 
 * libsepol: 2.7-1 => 2.7-1ubuntu0.1 
 * networkd-dispatcher: 1.7-0ubuntu3.3 => 1.7-0ubuntu3.5 
 * openssl1.0: 1.0.2n-1ubuntu5.8 => 1.0.2n-1ubuntu5.9 
 * openssl: 1.1.1-1ubuntu2.1~18.04.15 => 1.1.1-1ubuntu2.1~18.04.17 
 * sqlite3: 3.22.0-1ubuntu0.4 => 3.22.0-1ubuntu0.5 


The following is a complete changelog for this image.
new: {}
removed: {}
changed: ['cron', 'curl', 'distro-info-data', 'git', 'git-man', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libsepol1:amd64', 'libsqlite3-0:amd64', 'libssl1.0.0:amd64', 'libssl1.1:amd64', 'networkd-dispatcher', 'openssl']
new snaps: {}
removed snaps: {}
changed snaps: []
==== cron: 3.0pl1-128.1ubuntu1 => 3.0pl1-128.1ubuntu1.1 ====
====     cron
  * SECURITY UPDATE: privilege escalation in postinst script
    - Add sanity checks over the entries in spool directory and
      set up owner and group accordingly in debian/postinst
    - CVE-2017-9525
  * SECURITY UPDATE: denial of service via large file
    - Add sanity check in case of running out of memory when
      parsing the file in entry.c
    - CVE-2019-9704
  * SECURITY UPDATE: denial of service via large file
    - Add sanity check to ensure that no more than 1000 lines of
      length are allowed in crontabs in cron.h, crontab.c and
      user.c.
    - CVE-2019-9705
  * SECURITY UPDATE: denial of service by use-after-free
    - Add return values when there is no memory available
      in database.c
    - CVE-2019-9706
==== curl: 7.58.0-2ubuntu3.16 => 7.58.0-2ubuntu3.17 ====
====     curl libcurl3-gnutls:amd64 libcurl4:amd64
  * SECURITY UPDATE: OAUTH2 bypass
    - debian/patches/CVE-2022-22576.patch: check sasl additional
      parameters for conn resuse in lib/strcase.c, lib/strcase.h,
      lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2022-22576
  * SECURITY UPDATE: Credential leak on redirect
    - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
      in the info struct to make it available after the connection ended
      in lib/connect.c, lib/urldata.h.
    - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
      or ports clear auth in lib/transfer.c.
    - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
      these fix in tests/data/Makefile.inc, tests/data/test973,
      tests/data/test974, tests/data/test975, tests/data/test976.
    - CVE-2022-27774
  * SECURITY UPDATE: Bad local IPV6 connection reuse
    - debian/patches/CVE-2022-27775.patch: include the zone id in the
      'bundle' haskey in lib/conncache.c.
    - CVE-2022-27775
  * SECURITY UPDATE: Auth/cookie leak on redirect
    - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
      same host diff port in lib/http.c, lib/urldata.h.
    - CVE-2022-27776
==== distro-info-data: 0.37ubuntu0.13 => 0.37ubuntu0.14 ====
====     distro-info-data
  * Add Ubuntu 22.10, Kinetic Kudu (LP: #1970227)
==== git: 1:2.17.1-1ubuntu0.10 => 1:2.17.1-1ubuntu0.11 ====
====     git git-man
  * SECURITY REGRESSION: Previous update was incomplete causing regressions
    and not correctly fixing the issue.
    - debian/patches/CVE-2022-24765-5.patch: fix safe.directory
      key not being checked in setup.c.
    - debian/patches/CVE-2022-24765-6.patch:
      opt-out of check with safe.directory=* in setup.c. (LP: #1970260)
==== libsepol: 2.7-1 => 2.7-1ubuntu0.1 ====
====     libsepol1:amd64
  * SECURITY UPDATE: use-after-free in __cil_verify_classperms
    - debian/patches/CVE-2021-36084.patch: alter destruction of
      classperms list when resetting classpermission by avoiding
      deleting the inner data in cil/src/cil_reset_ast.c
    - CVE-2021-36084
  * SECURITY UPDATE: use-after-free in __cil_verify_classperms
    - debian/patches/CVE-2021-36085.patch: alter destruction of
      classperms when resetting a perm by avoiding
      deleting the inner data in cil/src/cil_reset_ast.c
    - CVE-2021-36085
  * SECURITY UPDATE: use-after-free in cil_reset_classpermission
    - debian/patches/CVE-2021-36086.patch: prevent 
      cil_reset_classperms_set from resetting classpermission by
      setting it to NULL in cil/src/cil_reset_ast.c
    - CVE-2021-36086
  * SECURITY UPDATE: heap-based buffer over-read in ebitmap_match_any
    - debian/patches/CVE-2021-36087.patch: check if a tunable
      declaration, in-statement, block, blockabstract, or macro definition
      is found within an optional in cil/src/cil_build_ast.c and 
      cil/src/cil_resolve_ast.c
    - CVE-2021-36087
==== networkd-dispatcher: 1.7-0ubuntu3.3 => 1.7-0ubuntu3.5 ====
====     networkd-dispatcher
  * SECURITY REGRESSION: Incomplete security fix (LP: #1971550)
    - debian/patches/CVE-2022-29799-regression.patch: Add initialized state
      in ADMIN_STATES in networkd-dispatcher.
    * SECURITY UPDATE: Directory traversal
    - debian/patches/CVE-2022-29799.patch: Add allowed admin and
      operational states in networkd-dispatcher and throw exceptions in
      handle_state function if the current state is not one of those.
    - CVE-2022-29799
  * SECURITY UPDATE: Time-of-check-time-of-use race condition
    - debian/patches/CVE-2022-29800-1.patch: Add check_perms function that
      will be invoked in scripts_in_path function before appending a file
      path to the script_list in networkd-dispatcher.
    - debian/patches/CVE-2022-29800-2.patch: Passes os.path.dirname(path)
      when checking for permissions in scripts_in_path function in
      networkd-dispatcher.
    - CVE-2022-29800
==== openssl: 1.1.1-1ubuntu2.1~18.04.15 => 1.1.1-1ubuntu2.1~18.04.17 ====
====     libssl1.1:amd64 openssl
  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
      openssl in tools/c_rehash.in.
    - CVE-2022-1292
  * NOTE: This package does _not_ contain the changes from
    1.1.1-1ubuntu2.1~18.04.16 in bionic-proposed.
==== openssl1.0: 1.0.2n-1ubuntu5.8 => 1.0.2n-1ubuntu5.9 ====
====     libssl1.0.0:amd64
  * SECURITY UPDATE: c_rehash script allows command injection
    - debian/patches/CVE-2022-1292.patch: do not use shell to invoke
      openssl in tools/c_rehash.in.
    - CVE-2022-1292
==== sqlite3: 3.22.0-1ubuntu0.4 => 3.22.0-1ubuntu0.5 ====
====     libsqlite3-0:amd64
  * SECURITY UPDATE: segmentation fault in idxGetTableInfo
    - debian/patches/CVE-2021-36690.patch: perform validation
      over the column to ensure it has collating sequence in
      ext/expert/sqlite3expert.c
    - CVE-2021-36690

--
[1] http://cloud-images.ubuntu.com/releases/bionic/release-20220505/
[2] http://cloud-images.ubuntu.com/releases/bionic/release-20220424/