A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * bind9: 1:9.16.1-0ubuntu2.6 => 1:9.16.1-0ubuntu2.7 * git: 1:2.25.1-1ubuntu3 => 1:2.25.1-1ubuntu3.1 * glib2.0: 2.64.6-1~ubuntu20.04.1 => 2.64.6-1~ubuntu20.04.3 * libzstd: 1.4.4+dfsg-3 => 1.4.4+dfsg-3ubuntu0.1 * linux-meta: 5.4.0.66.69 => 5.4.0.67.70 * linux-signed: 5.4.0-66.74 => 5.4.0-67.75 * openssh: 1:8.2p1-4ubuntu0.1 => 1:8.2p1-4ubuntu0.2 * python3.8: 3.8.5-1~20.04 => 3.8.5-1~20.04.2 * screen: 4.8.0-1 => 4.8.0-1ubuntu0.1 * twisted: 18.9.0-11 => 18.9.0-11ubuntu0.20.04.1 * update-manager: 1:20.04.10.5 => 1:20.04.10.6 The following is a complete changelog for this image. new: {'linux-modules-5.4.0-67-generic': '5.4.0-67.75', 'linux-headers-5.4.0-67': '5.4.0-67.75', 'linux-headers-5.4.0-67-generic': '5.4.0-67.75'} removed: {'linux-headers-5.4.0-66-generic': '5.4.0-66.74', 'linux-modules-5.4.0-66-generic': '5.4.0-66.74', 'linux-headers-5.4.0-66': '5.4.0-66.74'} changed: ['bind9-dnsutils', 'bind9-host', 'bind9-libs:amd64', 'git', 'git-man', 'libglib2.0-0:amd64', 'libglib2.0-bin', 'libglib2.0-data', 'libpython3.8-minimal:amd64', 'libpython3.8-stdlib:amd64', 'libpython3.8:amd64', 'libzstd1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-67-generic', 'linux-image-virtual', 'linux-virtual', 'openssh-client', 'openssh-server', 'openssh-sftp-server', 'python3-twisted', 'python3-twisted-bin:amd64', 'python3-update-manager', 'python3.8', 'python3.8-minimal', 'screen', 'update-manager-core'] new snaps: {} removed snaps: {} changed snaps: ['snapd'] ==== bind9: 1:9.16.1-0ubuntu2.6 => 1:9.16.1-0ubuntu2.7 ==== ==== bind9-dnsutils bind9-host bind9-libs:amd64 * Fix a race between deactivating socket handle and processing async callbacks, which can lead to sockets not being closed properly, exhausting TCP connection limits. (LP: #1909950) - d/p/lp-1909950-fix-race-between-deactivating-handle-async-callback.patch ==== git: 1:2.25.1-1ubuntu3 => 1:2.25.1-1ubuntu3.1 ==== ==== git git-man * SECURITY UPDATE: remote code exec during clone on case-insensitive FS - debian/patches/CVE-2021-21300.patch: fix bug that makes checkout follow symlinks in leading path in cache.h, compat/mingw.c, git-compat-util.h, run-command.c, symlinks.c, t/t0021-conversion.sh, t/t0021/rot13-filter.pl, t/t2006-checkout-index-basic.sh, unpack-trees.c. - CVE-2021-21300 ==== glib2.0: 2.64.6-1~ubuntu20.04.1 => 2.64.6-1~ubuntu20.04.3 ==== ==== libglib2.0-0:amd64 libglib2.0-bin libglib2.0-data * SECURITY UPDATE: incorrect g_file_replace() symlink handling - debian/patches/CVE-2021-28153-1.patch: fix a typo in a comment in gio/glocalfileoutputstream.c. - debian/patches/CVE-2021-28153-2.patch: stop using g_test_bug_base() in file tests in gio/tests/file.c. - debian/patches/CVE-2021-28153-3.patch: factor out a flag check in gio/glocalfileoutputstream.c. - debian/patches/CVE-2021-28153-4.patch: fix CREATE_REPLACE_DESTINATION with symlinks in gio/glocalfileoutputstream.c, gio/tests/file.c. - debian/patches/CVE-2021-28153-5.patch: add a missing O_CLOEXEC flag to replace() in gio/glocalfileoutputstream.c. - CVE-2021-28153 * SECURITY UPDATE: g_byte_array_new_take length truncation - debian/patches/CVE-2021-2721x/CVE-2021-27218.patch: do not accept too large byte arrays in glib/garray.c, glib/gbytes.c, glib/tests/bytes.c. - CVE-2021-27218 * SECURITY UPDATE: integer overflow in g_bytes_new - debian/patches/CVE-2021-2721x/CVE-2021-27219*.patch: add internal g_memdup2() function and use it instead of g_memdup() in a bunch of places. - CVE-2021-27219 ==== libzstd: 1.4.4+dfsg-3 => 1.4.4+dfsg-3ubuntu0.1 ==== ==== libzstd1:amd64 * SECURITY UPDATE: race condition allows attacker to access world-readable destination file - debian/patches/0018-fix-file-permissions-on-compression.patch: set umask in programs/fileio.c, programs/util.c, programs/util.h. - CVE-2021-24031 - CVE-2021-24032 ==== linux-meta: 5.4.0.66.69 => 5.4.0.67.70 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-67 ==== linux-signed: 5.4.0-66.74 => 5.4.0-67.75 ==== ==== linux-image-5.4.0-67-generic * Master version: 5.4.0-67.75 ==== openssh: 1:8.2p1-4ubuntu0.1 => 1:8.2p1-4ubuntu0.2 ==== ==== openssh-client openssh-server openssh-sftp-server * SECURITY UPDATE: double-free memory corruption in ssh-agent - debian/patches/CVE-2021-28041.patch: set ext_name to NULL after freeing it so it doesn't get freed again later on in ssh-agent.c. - CVE-2021-28041 ==== python3.8: 3.8.5-1~20.04 => 3.8.5-1~20.04.2 ==== ==== libpython3.8-minimal:amd64 libpython3.8-stdlib:amd64 libpython3.8:amd64 python3.8 python3.8-minimal * SECURITY UPDATE: Code execution from content received via HTTP - debian/patches/CVE-2020-27619-3.8.patch: no longer call eval() on content received via HTTP in Lib/test/multibytecodec_support.py. - CVE-2020-27619 * SECURITY UPDATE: Buffer overflow - debian/patches/CVE-2021-3177-3.8.patch: replace snprintf with Python unicode formatting in ctypes param reprs in Lib/ctypes/test/test_parameters.py, Modules/_ctypes/callproc.c. - CVE-2021-3177 * Skipping test_idle in riscv64 arch - debian/rules: adding test_idle to TEST_EXCLUDES in riscv64 arch due it hangs in build time. ==== screen: 4.8.0-1 => 4.8.0-1ubuntu0.1 ==== ==== screen * SECURITY UPDATE: DoS via crafted UTF-8 character sequence - debian/patches/99_CVE-2021-26937.patch: fix out of bounds array access in encoding.c. - CVE-2021-26937 ==== twisted: 18.9.0-11 => 18.9.0-11ubuntu0.20.04.1 ==== ==== python3-twisted python3-twisted-bin:amd64 * Fix NoneType encode error when multipart body does not include content-disposition headers (LP: #1915819) - d/p/lp1915819-Fix-nonetype-encode-error.patch ==== update-manager: 1:20.04.10.5 => 1:20.04.10.6 ==== ==== python3-update-manager update-manager-core * UpdateManager/Core/UpdateList.py: change to a regex from a static list of packages to be grouped under Ubuntu Base (LP: #1902025) * Clean up apt cache binary files left behind by tests * Rename meta_pkgs to ubuntu_base_pkgs to make it more clear to the reader which packages should be included * Add tests in to ensure Ubuntu base packages are not grouped when staged for removal (LP: #1912718) -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20210315/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20210223/