A new release of the Ubuntu Cloud Images for stable Ubuntu release 21.10 (Impish Indri) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * busybox: 1:1.30.1-6ubuntu3 => 1:1.30.1-6ubuntu3.1 * cloud-init: 21.3-1-g6803368d-0ubuntu3 => 21.4-0ubuntu1~21.10.1 * linux-meta: 5.13.0.20.31 => 5.13.0.22.33 * linux-signed: 5.13.0-20.20 => 5.13.0-22.22 * netplan.io: 0.103-0ubuntu7 => 0.103-0ubuntu7.2 * nss: 2:3.68-1ubuntu1 => 2:3.68-1ubuntu1.1 * openssl: 1.1.1l-1ubuntu1 => 1.1.1l-1ubuntu1.1 * software-properties: 0.99.13 => 0.99.13.1 * sosreport: 4.1-1ubuntu2 => 4.2-1ubuntu0.21.10.1 * ubuntu-advantage-tools: 27.3~21.10.1 => 27.4.2~21.10.1 * ufw: 0.36.1-1 => 0.36.1-1ubuntu1 * vim: 2:8.2.2434-3ubuntu3 => 2:8.2.2434-3ubuntu3.1 The following is a complete changelog for this image. new: {'linux-headers-5.13.0-22-generic': '5.13.0-22.22', 'linux-modules-5.13.0-22-generic': '5.13.0-22.22', 'linux-headers-5.13.0-22': '5.13.0-22.22'} removed: {'linux-modules-5.13.0-20-generic': '5.13.0-20.20', 'linux-headers-5.13.0-20': '5.13.0-20.20', 'linux-headers-5.13.0-20-generic': '5.13.0-20.20'} changed: ['busybox-initramfs', 'busybox-static', 'cloud-init', 'libnetplan0:amd64', 'libnss3:amd64', 'libssl1.1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.13.0-22-generic', 'linux-image-virtual', 'linux-virtual', 'netplan.io', 'openssl', 'python3-software-properties', 'software-properties-common', 'sosreport', 'ubuntu-advantage-tools', 'ufw', 'vim', 'vim-common', 'vim-runtime', 'vim-tiny', 'xxd'] new snaps: {} removed snaps: {} changed snaps: ['core20', 'lxd', 'snapd'] ==== busybox: 1:1.30.1-6ubuntu3 => 1:1.30.1-6ubuntu3.1 ==== ==== busybox-initramfs busybox-static * SECURITY UPDATE: invalid free or segfault via gzip data - debian/patches/CVE-2021-28831.patch: fix DoS if gzip is corrupt in archival/libarchive/decompress_gunzip.c. - CVE-2021-28831 * SECURITY UPDATE: OOB read in unlzma - debian/patches/CVE-2021-42374.patch: fix a case where we could read before beginning of buffer in archival/libarchive/decompress_unlzma.c, testsuite/unlzma.tests. - CVE-2021-42374 * SECURITY UPDATE: multiple security issues in awk - debian/patches/CVE-2021-423xx-awk.patch: backport awk.c from busybox 1.34.1. - CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42384, CVE-2021-42385, CVE-2021-42386 ==== cloud-init: 21.3-1-g6803368d-0ubuntu3 => 21.4-0ubuntu1~21.10.1 ==== ==== cloud-init * d/upstream/metadata: Change contact to James Falcon * d/cloud-init.templates: Add LXD to default datasource_list with translations * drop the following cherry-picks now included: + cpick-28e56d99-Azure-Retry-dhcp-on-timeouts-when-polling + cpick-e69a8874-Set-Azure-to-only-update-metadata-on-BOOT_NEW_INSTANCE + cpick-612e3908-Add-connectivity_url-to-Oracle-s-EphemeralDHCPv4-988 + cpick-dc227869-Set-Azure-to-apply-networking-config-every-BOOT-1023 + cpick-9c147e83-Allow-disabling-of-network-activation-SC-307-1048 * New upstream release. (LP: #1949521) - Release 21.4 (#1091) - Azure: fallback nic needs to be reevaluated during reprovisioning (#1094) [Anh Vo] - azure: pps imds (#1093) [Anh Vo] - testing: Remove calls to 'install_new_cloud_init' (#1092) - Add LXD datasource (#1040) - Fix unhandled apt_configure case. (#1065) [Brett Holman] - Allow libexec for hotplug (#1088) - Add necessary mocks to test_ovf unit tests (#1087) - Remove (deprecated) apt-key (#1068) [Brett Holman] - distros: Remove a completed "TODO" comment (#1086) - cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083) [dermotbradley] - Add "install hotplug" module (SC-476) (#1069) - hosts.alpine.tmpl: rearrange the order of short and long hostnames (#1084) [dermotbradley] - Add max version to docutils - cloudinit/dmi.py: Change warning to debug to prevent console display (#1082) [dermotbradley] - remove unnecessary EOF string in disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele Giuseppe Esposito] - Add module 'write-files-deferred' executed in stage 'final' (#916) [Lucendio] - Bump pycloudlib to fix CI (#1080) - Remove pin in dependencies for jsonschema (#1078) - Add "Google" as possible system-product-name (#1077) [vteratipally] - Update Debian security suite for bullseye (#1076) [Johann Queuniet] - Leave the details of service management to the distro (#1074) [Andy Fiddaman] - Fix typos in setup.py (#1059) [Christian Clauss] - Update Azure _unpickle (SC-500) (#1067) - cc_ssh.py: fix private key group owner and permissions (#1070) [Emanuele Giuseppe Esposito] - VMware: read network-config from ISO (#1066) [Thomas Weischuh] - testing: mock sleep in gce unit tests (#1072) - CloudStack: fix data-server DNS resolution (#1004) [Olivier Lemasle] - Fix unit test broken by pyyaml upgrade (#1071) - testing: add get_cloud function (SC-461) (#1038) - Inhibit sshd-keygen@.service if cloud-init is active (#1028) [Ryan Harper] - VMWARE: search the deployPkg plugin in multiarch dir (#1061) [xiaofengw-vmware] - Fix set-name/interface DNS bug (#1058) [Andrew Kutz] - Use specified tmp location for growpart (#1046) [jshen28] - .gitignore: ignore tags file for ctags users (#1057) [Brett Holman] - Allow comments in runcmd and report failed commands correctly (#1049) [Brett Holman] - tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050) [Paride Legovini] - Allow disabling of network activation (SC-307) (#1048) - renderer: convert relative imports to absolute (#1052) [Paride Legovini] - Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045) [Vlastimil Holer] - integration-requirements: bump the pycloudlib commit (#1047) [Paride Legovini] - Allow Vultr to set MTU and use as-is configs (#1037) [eb3095] - pin jsonschema in requirements.txt (#1043) - testing: remove cloud_tests (#1020) - Add andgein as contributor (#1042) [Andrew Gein] - Make wording for module frequency consistent (#1039) [Nicolas Bock] - Use ascii code for growpart (#1036) [jshen28] - Add jshen28 as contributor (#1035) [jshen28] - Skip test_cache_purged_on_version_change on Azure (#1033) - Remove invalid ssh_import_id from examples (#1031) - Cleanup Vultr support (#987) [eb3095] - docs: update cc_disk_setup for fs to raw disk (#1017) - HACKING.rst: change contact info to James Falcon (#1030) - tox: bump the pinned flake8 and pylint version (#1029) [Paride Legovini] - Add retries to DataSourceGCE.py when connecting to GCE (#1005) [vteratipally] - Set Azure to apply networking config every BOOT (#1023) - Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) - docs: fix typo and include sudo for report bugs commands (#1022) [Renan Rodrigo] - VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun] - Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] - Integration test upgrades for the 21.3-1 SRU (#1001) - Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans] - Improve ug_util.py (#1013) [Shreenidhi Shedi] - Support openEuler OS (#1012) [zhuzaifangxuele] - ssh_utils.py: ignore when sshd_config options are not key/value pairs (#1007) [Emanuele Giuseppe Esposito] - Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006) - cc_update_etc_hosts: Use the distribution-defined path for the hosts file (#983) [Andy Fiddaman] - Add CloudLinux OS support (#1003) [Alexandr Kravchenko] - puppet config: add the start_agent option (#1002) [Andrew Bogott] - Fix `make style-check` errors (#1000) [Shreenidhi Shedi] - Make cloud-id copyright year (#991) [Andrii Podanenko] - Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi] - Update ds-identify to pass shellcheck (#979) [Andrew Kutz] - Azure: Retry dhcp on timeouts when polling reprovisiondata (#998) [aswinrajamannar] ==== linux-meta: 5.13.0.20.31 => 5.13.0.22.33 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.13.0-22 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package * Bump ABI 5.13.0-21 ==== linux-signed: 5.13.0-20.20 => 5.13.0-22.22 ==== ==== linux-image-5.13.0-22-generic * Master version: 5.13.0-22.22 * Master version: 5.13.0-21.21 ==== netplan.io: 0.103-0ubuntu7 => 0.103-0ubuntu7.2 ==== ==== libnetplan0:amd64 netplan.io * Add d/p/0012-test-bridge-base-give-bridge-some-more-time-to-reach.patch To fix flaky test_bridge_anonymous autopkgtest (upstream c6ad8e6) * Upstream cherry-picks for snapd dbus config set-try-apply integration fixes - dbus-wait-for-netplan-try-to-be-ready-LP-1949893-245.patch (LP: #1949893) - get-set-ignore-empty-YAML-hints-and-delete-files-on-.patch (LP: #1946957) [ Nicolas Bock ] * d/p/0001-Add-support-for-additional-Link-options-225-LP-17717.patch: - Add offload configuration options. (LP: #1771740) * Add d/p/partial-d4884cfd40e1e33540b274371c3272df6595d22c.patch: - Partial application of d4884cfd40e1e33540b274371c3272df6595d22c in order preserve ABI compatibility for future updates. [ Lukas Mrdian ] * Add d/p/0010-parse-nm-Handle-missing-gateway-in-keyfile-routes-ke.patch (LP: #1949761) * Fix regression in 'netplan try' (LP: #1949104) + d/p/lp1949104/cli-apply-initialize-self.state-LP-1949104-243.patch + d/p/lp1949104/tests-regressions-make-netplan_try-autopkgtest-more-.patch ==== nss: 2:3.68-1ubuntu1 => 2:3.68-1ubuntu1.1 ==== ==== libnss3:amd64 * SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded signatures - debian/patches/CVE-2021-43527.patch: check signature lengths in nss/lib/cryptohi/secvfy.c. - CVE-2021-43527 ==== openssl: 1.1.1l-1ubuntu1 => 1.1.1l-1ubuntu1.1 ==== ==== libssl1.1:amd64 openssl * Cherry-pick upstream fixes to prevent double engine loading (LP: #1951943) ==== software-properties: 0.99.13 => 0.99.13.1 ==== ==== python3-software-properties software-properties-common * utils: prefer /var/lib/ubuntu-advantage/status.json over ua status - Handle absent /var/lib/ubuntu-advantage/status.json for non-root users (LP: #1939732) - print unexcepted errors and if _schema_version not equal to 0.1 ==== sosreport: 4.1-1ubuntu2 => 4.2-1ubuntu0.21.10.1 ==== ==== sosreport * New 4.2 upstream release. (LP: #1941745) - This release contains numerous improvements and bug fixes to several components within sos, including an overhaul to the project's test suite and infrastructure. * For more details, full release note is available here: - https://github.com/sosreport/sos/releases/tag/4.2 * Remaining patches: - d/p/0001-debian-change-tmp-dir-location.patch * New patches: - d/p/0002-report-implement_estimate-only.patch - d/p/0003-ceph-add-support-for-containerized-ceph-setup.patch - d/p/0004-ceph-split-plugin-by-components.patch - d/p/0005-openvswitch-get-userspace-datapath-implementations.patch - d/p/0006-report-check-for-symlink-before-rmtree.patch * Former patches, now fixed: - d/p/0002-clean-prevent-parsing-ubuntu-user.patch - d/p/0003-ubuntu-policy-fix-upload.patch - d/p/0004-chrony-configuration-can-now-be-fragmented.patch - d/p/0005-global-drop-plugin-version.patch - d/p/0006-networking-check-presence-of-devlink.patch - d/p/0007-sosnode-avoid-checksum-cleanup-if-no-archive.patch * d/control: - Add 'python3-coverage' as part of the build depends. * d/rules: - Fix misplaced and duplicated sos.conf file in /usr/config. ==== ubuntu-advantage-tools: 27.3~21.10.1 => 27.4.2~21.10.1 ==== ==== ubuntu-advantage-tools * Backport new upstream release: (LP: #1951705) to impish * d/tools.postinst: - Fix check_service_is_enabled function when the machine is unattached (LP: #1951705) * jobs: do not run the status job for unattached users * d/rules: - Remove conftest file from the package * d/tools.postinst: - hardcode python binary to run python scripts (LP: #1930121) - undo unnecessary log file creation * d/tools.prerm: - hardcode python binary to run python scripts (LP: #1930121) * New upstream release 27.4 (LP: #1949634) - cc-eal: remove beta flag - cli: + attach will save machine-id during operation + detach won't ask unnecessary questions + new security-status subcommand lists potentially available security and ESM updates (beta) - fix: + exit 0 when fix is successfully applied and completed + exit 1 when fix cannot be applied + exit 2 when fix requires a reboot to complete + check reboot-required.pkgs for better reboot suggestions - livepatch: allow livepatch and fips-updates at the same time - metering: + update how activity info is parsed + update contract response structure + enable job by default - proxy: no_proxy defaults for link-local IMDS routes - util: + cache get_platform_info calls + fix machine-id fallback path on get_machine_id ==== ufw: 0.36.1-1 => 0.36.1-1ubuntu1 ==== ==== ufw * d/p/0004-set-default-policy-after-load.patch: fix boot stall on iscsi/network root filesystem when starting ufw (LP: #1946804) ==== vim: 2:8.2.2434-3ubuntu3 => 2:8.2.2434-3ubuntu3.1 ==== ==== vim vim-common vim-runtime vim-tiny xxd * SECURITY UPDATE: Fix heap-based buffer overflow when buffer name is very long - debian/patches/CVE-2021-3872.patch: Make sure not to go over the end of the buffer in src/drawscreen.c, src/testdir/test_statusline.vim. - CVE-2021-3872 * SECURITY UPDATE: Fix heap-based buffer overflow when scrolling without a valid screen - debian/patches/CVE-2021-3903.patch: Do not set VALID_BOTLINE in w_valid in src/move.c, src/testdir/test_normal.vim. - CVE-2021-3903 * SECURITY UPDATE: Fix heap-based buffer overflow when reading character past end of line - debian/patches/CVE-2021-3927.patch: Correct the cursor column in src/ex_docmd.c, src/testdir/test_put.vim. - CVE-2021-3927 * SECURITY UPDATE: Fix stack-based buffer overflow when reading uninitialized memory when giving spell suggestions - debian/patches/CVE-2021-3928.patch: Check that preword is not empty in src/spellsuggest.c, src/testdir/test_spell.vim. - CVE-2021-3928 * Fix flaky vim terminal mode test -- [1] http://cloud-images.ubuntu.com/releases/impish/release-20211208.1/ [2] http://cloud-images.ubuntu.com/releases/impish/release-20211103/