A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apport: 2.20.11-0ubuntu27.18 => 2.20.11-0ubuntu27.20 * cpio: 2.13+dfsg-2 => 2.13+dfsg-2ubuntu0.3 * curl: 7.68.0-1ubuntu2.6 => 7.68.0-1ubuntu2.7 * git: 1:2.25.1-1ubuntu3.1 => 1:2.25.1-1ubuntu3.2 * libgcrypt20: 1.8.5-5ubuntu1 => 1.8.5-5ubuntu1.1 * linux-meta: 5.4.0.84.88 => 5.4.0.86.90 * linux-signed: 5.4.0-84.94 => 5.4.0-86.97 * procps: 2:3.3.16-1ubuntu2.2 => 2:3.3.16-1ubuntu2.3 * squashfs-tools: 1:4.4-1ubuntu0.1 => 1:4.4-1ubuntu0.2 * systemd: 245.4-4ubuntu3.11 => 245.4-4ubuntu3.13 * udisks2: 2.8.4-1ubuntu1 => 2.8.4-1ubuntu2 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-86-generic': '5.4.0-86.97', 'linux-headers-5.4.0-86': '5.4.0-86.97', 'linux-modules-5.4.0-86-generic': '5.4.0-86.97'} removed: {'linux-headers-5.4.0-84-generic': '5.4.0-84.94', 'linux-headers-5.4.0-84': '5.4.0-84.94', 'linux-modules-5.4.0-84-generic': '5.4.0-84.94'} changed: ['apport', 'cpio', 'curl', 'git', 'git-man', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libgcrypt20:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libprocps8:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'libudisks2-0:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-86-generic', 'linux-image-virtual', 'linux-virtual', 'procps', 'python3-apport', 'python3-problem-report', 'squashfs-tools', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'udev', 'udisks2'] new snaps: {'core20': ['stable', '1081']} removed snaps: {'core18': ['stable', '2128']} changed snaps: ['lxd'] ==== apport: 2.20.11-0ubuntu27.18 => 2.20.11-0ubuntu27.20 ==== ==== apport python3-apport python3-problem-report * SECURITY UPDATE: Arbitrary file read (LP: #1934308) - data/general-hooks/ubuntu.py: don't attempt to include emacs byte-compilation logs, they haven't been generated by the emacs packages in a long time. - CVE-2021-3709 * SECURITY UPDATE: Info disclosure via path traversal (LP: #1933832) - apport/hookutils.py, test/test_hookutils.py: detect path traversal attacks, and directory symlinks. - CVE-2021-3710 ==== cpio: 2.13+dfsg-2 => 2.13+dfsg-2ubuntu0.3 ==== ==== cpio * SECURITY UPDATE: arbitrary code execution via crafted pattern file - debian/patches/CVE-2021-38185.patch: rewrite dynamic string support in src/copyin.c, src/copyout.c, src/copypass.c, src/dstring.c, src/dstring.h, src/util.c. - debian/patches/CVE-2021-38185.2.patch: don't call ds_resize in a loop in src/dstring.c. - debian/patches/CVE-2021-38185.3.patch: fix dynamic string reallocations in src/dstring.c. - CVE-2021-38185 ==== curl: 7.68.0-1ubuntu2.6 => 7.68.0-1ubuntu2.7 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: Protocol downgrade required TLS bypassed - debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over HTTPS proxy in lib/ftp.c, lib/urldata.h. - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc, tests/data/test984, tests/data/test985, tests/data/test986. - CVE-2021-22946 * SECURITY UPDATE: STARTTLS protocol injection via MITM - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c, tests/data/Makefile.inc, tests/data/test980, tests/data/test981, tests/data/test982, tests/data/test983. - CVE-2021-22947 ==== git: 1:2.25.1-1ubuntu3.1 => 1:2.25.1-1ubuntu3.2 ==== ==== git git-man * SECURITY UPDATE: cross-protocol request via newline character in repo path - debian/patches/CVE-2021-40330.patch: forbid newline in git:// hosts and repo paths - CVE-2021-40330 ==== libgcrypt20: 1.8.5-5ubuntu1 => 1.8.5-5ubuntu1.1 ==== ==== libgcrypt20:amd64 * SECURITY UPDATE: lack of exponent blinding in ElGamal encryption - debian/patches/CVE-2021-33560.patch: harden ElGamal by introducing exponent blinding too in cipher/elgamal.c. - CVE-2021-33560 * SECURITY UPDATE: incorrect support of smaller K - debian/patches/CVE-2021-40528.patch: fix ElGamal encryption for other implementations in cipher/elgamal.c. - CVE-2021-40528 ==== linux-meta: 5.4.0.84.88 => 5.4.0.86.90 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-86 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package * Bump ABI 5.4.0-85 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.4.0-84.94 => 5.4.0-86.97 ==== ==== linux-image-5.4.0-86-generic * Master version: 5.4.0-86.97 * Master version: 5.4.0-85.95 ==== procps: 2:3.3.16-1ubuntu2.2 => 2:3.3.16-1ubuntu2.3 ==== ==== libprocps8:amd64 procps * Fixes version output of utilities (LP: #1917148) - d/p/fix_version.patch ==== squashfs-tools: 1:4.4-1ubuntu0.1 => 1:4.4-1ubuntu0.2 ==== ==== squashfs-tools * SECURITY UPDATE: Directory traversal via symlinks in unsquashfs - debian/patches/0002-CVE-2021-41072-1.patch: Use unsquashfs_closedir() when deleting directories in unsquash-N.c - debian/patches/0003-CVE-2021-41072-2.patch: Dynamically allocate structure names in unsquash-N.c - debian/patches/0004-CVE-2021-41072-3.patch: Store directory names in a linked list to allow sorting in unsquash-N.c - debian/patches/0005-CVE-2021-41072-4.patch: Sort directory entries in squashfs images and treat duplicate directory entries with the same name as invalid in unsquash-N.c - debian/patches/0006-CVE-2021-41072-5.patch: Fixup Makefile entry for unsquash-12.o - CVE-2021-41072 ==== systemd: 245.4-4ubuntu3.11 => 245.4-4ubuntu3.13 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev * d/p/dell-clamshell-accel-location-base-with-sku.patch: Revert incorrect patch (LP: #1942899) [ Yao Wei ] * d/p/dell-clamshell-accel-location-base.patch: Add ACCEL_LOCATION=base property for Dell clamshell models (LP: #1938259) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5c1be33900edee94da0dc9a4ade8edcd079b4c85 [ Lukas Mrdian ] * Add d/p/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch - Fix segfault in systemd-resolve (LP: #1934221) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6c401900c70962052f56c7108fdc02fe7f84c9bf [ Simon Chopin ] * d/p/lp1914740-network-enable-DHCP-broadcast-flag-if-required-by-in.patch: - Apply upstream patch to fix Hipersocket DHCP mode (LP: #1914740) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=326ae43b7966d9e7c5f7124027185a79a07fa276 [ Dan Streetman ] * d/p/lp1934981-correct-suspend-then-sleep-string.patch: Fix sleep verb used by logind during suspend-then-hibernate (LP: #1934981) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=997f3a7da3d5db22e3c63626c3f7dc3dff0830b0 * d/p/lp1937238-util-return-the-correct-correct-wd-from-inotify-help.patch: Fix watch for time sync (LP: #1937238) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=dbabff8a03eb232c19174eff1335cd7cb7d7860c * d/extra/dhclient-enter-resolved-hook: Reset start limit counter for systemd-resolved in dhclient hook (LP: #1939255) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9d3a91a0b70a4b2bcc166f366cd0a880fd494812 * d/p/lp1935051-shared-unit-file-make-sure-the-old-hashmaps-and-sets.patch: Fix memory leak in path cache (LP: #1935051) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=12d6bdeb35f309158fe8d4242c6dd9be4d067604 * d/p/lp1934147/0001-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch, d/p/lp1934147/0002-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch: Catchup cgroup inotify watch after reexec/reload (LP: #1934147) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=63eabc88b8e0005eb40b15b543538ce35377bdbd ==== udisks2: 2.8.4-1ubuntu1 => 2.8.4-1ubuntu2 ==== ==== libudisks2-0:amd64 udisks2 * debian/patches/0001-udev-Distinguish-mmcblk-class-device-types.patch debian/patches/0002-udev-Propagate-mmcblk-disk-attributes-to-mmcblk_boot.patch debian/patches/0003-udiskslinuxdrive-Tweak-the-removable-ejectable-hints.patch debian/patches/0004-udiskslinuxblock-Tweak-the-hints-for-mmcblk-class-de.patch - backport 4 commits from upstream to fix mmcblk is not removeable. https://github.com/storaged-project/udisks/issues/358 (lp: #1942733) -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20210921/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20210907/