A new release of the Ubuntu Cloud Images for stable Ubuntu release 18.04 LTS (Bionic Beaver) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * ca-certificates: 20210119~18.04.2 => 20211016~18.04.1 * cloud-init: 22.1-14-g2e17a0d6-0ubuntu1~18.04.3 => 22.2-0ubuntu1~18.04.1 * dpkg: 1.19.0.5ubuntu2.3 => 1.19.0.5ubuntu2.4 * e2fsprogs: 1.44.1-1ubuntu1.3 => 1.44.1-1ubuntu1.4 * glibc: 2.27-3ubuntu1.5 => 2.27-3ubuntu1.6 * gnupg2: 2.2.4-1ubuntu1.4 => 2.2.4-1ubuntu1.5 * klibc: 2.0.4-9ubuntu2.1 => 2.0.4-9ubuntu2.2 * linux-meta: 4.15.0.180.169 => 4.15.0.184.172 * linux-signed: 4.15.0-180.189 => 4.15.0-184.194 * ntfs-3g: 1:2017.3.23-2ubuntu0.18.04.3 => 1:2017.3.23-2ubuntu0.18.04.4 The following is a complete changelog for this image. new: {'linux-headers-4.15.0-184-generic': '4.15.0-184.194', 'linux-modules-4.15.0-184-generic': '4.15.0-184.194', 'linux-headers-4.15.0-184': '4.15.0-184.194'} removed: {'linux-headers-4.15.0-180': '4.15.0-180.189', 'linux-headers-4.15.0-180-generic': '4.15.0-180.189', 'linux-modules-4.15.0-180-generic': '4.15.0-180.189'} changed: ['ca-certificates', 'cloud-init', 'dirmngr', 'dpkg', 'e2fsprogs', 'gnupg', 'gnupg-l10n', 'gnupg-utils', 'gpg', 'gpg-agent', 'gpg-wks-client', 'gpg-wks-server', 'gpgconf', 'gpgsm', 'gpgv', 'klibc-utils', 'libc-bin', 'libc6:amd64', 'libcom-err2:amd64', 'libext2fs2:amd64', 'libklibc', 'libntfs-3g88', 'libss2:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.15.0-184-generic', 'linux-image-virtual', 'linux-virtual', 'locales', 'multiarch-support', 'ntfs-3g'] new snaps: {} removed snaps: {} changed snaps: [] ==== ca-certificates: 20210119~18.04.2 => 20211016~18.04.1 ==== ==== ca-certificates * Update ca-certificates database to 20211016 (LP: #1976631): - mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.50. - backport certain changes from the Ubuntu 22.04 LTS 20211016 package. ==== cloud-init: 22.1-14-g2e17a0d6-0ubuntu1~18.04.3 => 22.2-0ubuntu1~18.04.1 ==== ==== cloud-init * d/control: - Build-Depends: add python3-responses and python3-pytest-mock for unittests - Suggests: add openssh-server and ssh-import-id * refresh patches: + debian/patches/ec2-dont-apply-full-imds-network-config.patch + debian/patches/renderer-do-not-prefer-netplan.patch * New upstream release. (LP: #1974235) - Release 22.2 (#1462) - Fix test due to caplog incompatibility (#1461) [Alberto Contreras] - Align rhel custom files with upstream (#1431) [Emanuele Giuseppe Esposito] - cc_write_files: Improve schema. (#1460) [Alberto Contreras] - cli: Redact files with permission errors in commands (#1440) [Alberto Contreras] - Improve cc_set_passwords. (#1456) [Alberto Contreras] - testing: make fake cloud-init wait actually wait (#1459) - Scaleway: Fix network configuration for netplan 0.102 and later (#1455) [Maxime Corbin] - Fix 'ephmeral' typos in disk names(#1452) [Mike Hucka] - schema: version schema-cloud-config-v1.json (#1424) - cc_modules: set default meta frequency value when no config available (#1457) - Log generic warning on non-systemd systems. (#1450) [Alberto Contreras] - cc_snap.maybe_install_squashfuse no longer needed in Bionic++. (#1448) [Alberto Contreras] - Drop support of *-sk keys in cc_ssh (#1451) [Alberto Contreras] - testing: Fix console_log tests (#1437) - tests: cc_set_passoword update for systemd, non-systemd distros (#1449) - Fix bug in url_helper/dual_stack() logging (#1426) - schema: render schema paths from _CustomSafeLoaderWithMarks (#1391) - testing: Make integration tests kinetic friendly (#1441) - Handle error if SSH service no present. (#1422) [Alberto Contreras] - Fix network-manager activator availability and order (#1438) - sources/azure: remove reprovisioning marker (#1414) [Chris Patterson] - upstart: drop vestigial support for upstart (#1421) - testing: Ensure NoCloud detected in test (#1439) - Update .github-cla-signers kallioli [Kevin Allioli] - Consistently strip top-level network key (#1417) - testing: Fix LXD VM metadata test (#1430) - testing: Add NoCloud setup for NoCloud test (#1425) - Update linters and adapt code for compatibility (#1434) [Paride Legovini] - run-container: add support for LXD VMs (#1428) [Paride Legovini] - integration-reqs: bump pycloudlib pinned commit (#1427) [Paride Legovini] - Fix NoCloud docs (#1423) - Docs fixes (#1406) - docs: Add docs for module creation (#1415) - Remove cheetah from templater (#1416) - tests: verify_ordered_items fallback to re.escape if needed (#1420) - Misc module cleanup (#1418) - docs: Fix doc warnings and enable errors (#1419) [Alberto Contreras] - Refactor cloudinit.sources.NetworkConfigSource to enum (#1413) [Alberto Contreras] - Don't fail if IB and Ethernet devices 'collide' (#1411) - Use cc_* module meta definition over hardcoded vars (SC-888) (#1385) - Fix cc_rsyslog.py initialization (#1404) [Alberto Contreras] - Promote cloud-init schema from devel to top level subcommand (#1402) - mypy: disable missing imports warning for httpretty (#1412) [Chris Patterson] - users: error when home should not be created AND ssh keys provided [Jeffrey 'jf' Lim] - Allow growpart to resize encrypted partitions (#1316) - Fix typo in integration_test.rst (#1405) [Alberto Contreras] - cloudinit.net refactor: apply_network_config_names (#1388) [Alberto Contreras] - tests/azure: add fixtures for hardcoded paths (markers and data_dir) (#1399) [Chris Patterson] - testing: Add responses workaround for focal/impish (#1403) - cc_ssh_import_id: fix is_key_in_nested_dict to avoid early False - Fix ds-identify not detecting NoCloud seed in config (#1381) - sources/azure: retry dhcp for failed processes (#1401) [Chris Patterson] - Move notes about refactorization out of CONTRIBUTING.rst (#1389) - Shave ~8ms off generator runtime (#1387) - Fix provisioning dhcp timeout to 20 minutes (#1394) [Chris Patterson] - schema: module example strict testing fix seed_random - cc_set_hostname: examples small typo (perserve vs preserve) [Wouter Schoot] - sources/azure: refactor http_with_retries to remove **kwargs (#1392) [Chris Patterson] - declare dependency on ssh-import-id (#1334) - drop references to old dependencies and old centos script - sources/azure: only wait for primary nic to be attached during restore (#1378) [Anh Vo] - cc_ntp: migrated legacy schema to cloud-init-schema.json (#1384) - Network functions refactor and bugfixes (#1383) - schema: add JSON defs for modules cc_users_groups (#1379) - Fix doc typo (#1382) [Alberto Contreras] - Add support for dual stack IPv6/IPv4 IMDS to Ec2 (#1160) - Fix KeyError when rendering sysconfig IPv6 routes (#1380) - Return a namedtuple from subp() (#1376) - Mypy stubs and other tox maintenance (SC-920) (#1374) - Distro Compatibility Fixes (#1375) - Pull in Gentoo patches (#1372) - schema: add json defs for modules U-Z (#1360) - util: atomically update sym links to avoid Suppress FileNotFoundError when reading status (#1298) [Adam Collard] - schema: add json defs for modules scripts-timezone (SC-801) (#1365) - docs: Add first tutorial (SC-900) (#1368) - BUG 1473527: module ssh-authkey-fingerprints fails Input/output error (#1340) [Andrew Lee] - add arch hosts template (#1371) - ds-identify: detect LXD for VMs launched from host with > 5.10 kernel (#1370) - Support EC2 tags in instance metadata (#1309) [Eduardo Dobay] - schema: add json defs for modules e-install (SC-651) (#1366) - Improve "(no_create_home|system): true" test (#1367) [Jeffrey 'jf' Lim] - Expose https_proxy env variable to ssh-import-id cmd (#1333) [Michael Rommel] - sources/azure: remove bind/unbind logic for hot attached nic (#1332) [Chris Patterson] - tox: add types-* packages to check_format env (#1362) - tests: python 3.10 is showing up in cloudimages (#1364) - testing: add additional mocks to test_net tests (#1356) [yangzz-97] - schema: add JSON schema for mcollective, migrator and mounts modules (#1358) - Honor system locale for RHEL (#1355) [Wei Shi] - doc: Fix typo in cloud-config-run-cmds.txt example (#1359) [Ali Shirvani] - ds-identify: also discover LXD by presence from DMI board_name = LXD (#1311) - black: bump pinned version to 22.3.0 to avoid click dependency issues (#1357) - Various doc fixes (#1330) - testing: Add missing is_FreeBSD mock to networking test (#1353) - Add --no-update to add-apt-repostory call (SC-880) (#1337) - schema: add json defs for modules K-L (#1321) - docs: Re-order readthedocs install (#1354) - Stop cc_ssh_authkey_fingerprints from ALWAYS creating home (#1343) [Jeffrey 'jf' Lim] - docs: add jinja2 pin (#1352) - Vultr: Use find_candidate_nics, use ipv6 dns (#1344) [eb3095] - sources/azure: move get_ip_from_lease_value out of shim (#1324) [Chris Patterson] - Fix cloud-init status --wait when no datasource found (#1349) - schema: add JSON defs for modules resize-salt (SC-654) (#1341) - Add myself as a future contributor (#1345) [Neal Gompa ()] - Update .github-cla-signers (#1342) [Jeffrey 'jf' Lim] - add Requires=cloud-init-hotplugd.socket in cloud-init-hotplugd.service file (#1335) [yangzz-97] - Fix sysconfig render when set-name is missing (#1327) [Andrew Kutz] - Refactoring helper funcs out of NetworkState (#1336) [Andrew Kutz] - url_helper: add tuple support for readurl timeout (#1328) [Chris Patterson] - Make fs labels match for ds-identify and docs (#1329) - Work around bug in LXD VM detection (#1325) - Remove redundant generator logs (#1318) - tox: set verbose flags for integration tests (#1323) [Chris Patterson] - net: introduce find_candidate_nics() (#1313) [Chris Patterson] - Revert "Ensure system_cfg read before ds net config on Oracle (#1174)" (#1326) - Add vendor_data2 support for ConfigDrive source (#1307) [cvstealth] - Make VMWare data source test host independent and expand testing (#1308) [Robert Schweikert] - Add json schemas for modules starting with P - sources/azure: remove lease file parsing (#1302) [Chris Patterson] - remove flaky test from ci (#1322) - ci: Switch to python 3.10 in Travis CI (#1320) - Better interface handling for Vultr, expect unexpected DHCP servers (#1297) [eb3095] - Remove unused init local artifact (#1315) - Doc cleanups (#1317) - docs improvements (#1312) - add support for jinja do statements, add unit test (#1314) [Paul Bruno] - sources/azure: prevent tight loops for DHCP retries (#1285) [Chris Patterson] - net/dhcp: surface type of DHCP lease failure to caller (#1276) [Chris Patterson] - Stop hardcoding systemctl location (#1278) [Robert Schweikert] - Remove python2 syntax from docs (#1310) - [tools/migrate-lp-user-to-github] Rename master branch to main (#1301) [Adam Collard] - redhat: Depend on "hostname" package (#1288) [Lubomir Rintel] - Add native NetworkManager support (#1224) [Lubomir Rintel] - Fix link in CLA check to point to contribution guide. (#1299) [Adam Collard] ==== dpkg: 1.19.0.5ubuntu2.3 => 1.19.0.5ubuntu2.4 ==== ==== dpkg * SECURITY UPDATE: Directory traversal issue in dpkg-source - scripts/Dpkg/Source/Archive.pm, scripts/t/Dpkg_Source_Archive.t: Prevent directory traversal for in-place extracts. - CVE-2022-1664 ==== e2fsprogs: 1.44.1-1ubuntu1.3 => 1.44.1-1ubuntu1.4 ==== ==== e2fsprogs libcom-err2:amd64 libext2fs2:amd64 libss2:amd64 * SECURITY UPDATE: Out-of-bounds read/write vulnerability Issue leads to segmentation fault and possibly arbitrary code execution via a specially crafted filesystem. - debian/patches/CVE-2022-1304.patch: checks that all leaf nodes of file system contain at least one extent. - CVE-2022-1304 ==== glibc: 2.27-3ubuntu1.5 => 2.27-3ubuntu1.6 ==== ==== libc-bin libc6:amd64 locales multiarch-support [ Gunnar Hjalmarsson ] * d/local/usr_sbin/update-locale: improve sanity checks. (LP: #1892825) [ Aurelien Jarno ] * debian/debhelper.in/libc.preinst: drop the check for kernel release > 255 now that glibc and preinstall script are fixed. (LP: #1962225) ==== gnupg2: 2.2.4-1ubuntu1.4 => 2.2.4-1ubuntu1.5 ==== ==== dirmngr gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm gpgv * SECURITY UPDATE: Certificate Spamming Attack through SKS (LP: #1844059) - debian/patches/CVE-2019-13050-1.patch: add option to only accept self-signatures when importing a key in g10/import.c, g10/options.h and doc/gpg.texi. - debian/patches/CVE-2019-13050-2.patch: add fallback when importing self-signatures only in g10/import.c. - debian/patches/CVE-2019-13050-3.patch: add "self-sigs-only" and "import-clean" to the keyserver options in g10/gpg.c and doc/gpg.texi. - debian/patches/CVE-2019-13050-4.patch: fix regression by ensuring KEYID is available on a pending package in g10/import.c. - debian/patches/CVE-2019-13050-5.patch: prevent fallback from being used if the options are already used in g10/import.c. - CVE-2019-13050 ==== klibc: 2.0.4-9ubuntu2.1 => 2.0.4-9ubuntu2.2 ==== ==== klibc-utils libklibc [ Khaled Elmously ] * d/p/lp1947099-honour-user-requested-timeouts-in-all-cases.patch: Honour user-specified timeouts even in error cases. (LP: #1947099) [ Mauricio Faria de Oliveira ] * d/p/lp1947099-fix-for-no-timeout-specified.patch: Check for an user-specified timeout before checking/adjusting timeout values. ==== linux-meta: 4.15.0.180.169 => 4.15.0.184.172 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.15.0-184 * Bump ABI 4.15.0-182 * Bump ABI 4.15.0-181 ==== linux-signed: 4.15.0-180.189 => 4.15.0-184.194 ==== ==== linux-image-4.15.0-184-generic * Master version: 4.15.0-184.194 * Master version: 4.15.0-182.191 * Master version: 4.15.0-181.190 ==== ntfs-3g: 1:2017.3.23-2ubuntu0.18.04.3 => 1:2017.3.23-2ubuntu0.18.04.4 ==== ==== libntfs-3g88 ntfs-3g * SECURITY UPDATE: heap buffer overflow in ntfsck - debian/patches/CVE-2021-46790.patch: properly handle error in ntfsprogs/ntfsck.c. - CVE-2021-46790 * SECURITY UPDATE: traffic interception via incorrect return code - debian/patches/CVE-2022-30783.patch: return proper error code in libfuse-lite/mount.c, src/ntfs-3g_common.c, src/ntfs-3g_common.h. - CVE-2022-30783 * SECURITY UPDATE: heap exhaustion via invalid NTFS image - debian/patches/CVE-2022-30784.patch: Avoid allocating and reading an attribute beyond its full size in libntfs-3g/attrib.c. - CVE-2022-30784 * SECURITY UPDATE: arbitrary memory access via fuse - debian/patches/CVE-2022-30785_30787.patch: check directory offset in libfuse-lite/fuse.c. - CVE-2022-30785 - CVE-2022-30787 * SECURITY UPDATE: heap overflow via ntfs attribute names - debian/patches/CVE-2022-30786-1.patch: make sure there is no null character in an attribute name in libntfs-3g/attrib.c. - debian/patches/CVE-2022-30786-2.patch: make sure there is no null character in an attribute name in libntfs-3g/attrib.c. - CVE-2022-30786 * SECURITY UPDATE: heap buffer overflow via crafted NTFS image - debian/patches/CVE-2022-30788-1.patch: use a default usn when the former one cannot be retrieved in libntfs-3g/mft.c. - debian/patches/CVE-2022-30788-2.patch: fix operation on little endian data in libntfs-3g/mft.c. - CVE-2022-30788 * SECURITY UPDATE: heap buffer overflow via crafted NTFS image - debian/patches/CVE-2022-30789.patch: make sure the client log data does not overflow from restart page in libntfs-3g/logfile.c. - CVE-2022-30789 -- [1] http://cloud-images.ubuntu.com/releases/bionic/release-20220610/ [2] http://cloud-images.ubuntu.com/releases/bionic/release-20220523/