A new release of the Ubuntu Cloud Images for stable Ubuntu release 21.10 (Impish Indri) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * apport: 2.20.11-0ubuntu71 => 2.20.11-0ubuntu71.2 * apt: 2.3.9 => 2.3.9ubuntu0.1 * bind9: 1:9.16.15-1ubuntu1.1 => 1:9.16.15-1ubuntu1.2 * cloud-init: 21.4-0ubuntu1~21.10.1 => 22.1-14-g2e17a0d6-0ubuntu1~21.10.3 * command-not-found: 21.10.0 => 21.10.1 * curl: 7.74.0-1.3ubuntu2 => 7.74.0-1.3ubuntu2.2 * distro-info-data: 0.51ubuntu1.1 => 0.51ubuntu1.2 * dpkg: 1.20.9ubuntu2 => 1.20.9ubuntu2.2 * expat: 2.4.1-2ubuntu0.1 => 2.4.1-2ubuntu0.3 * fribidi: 1.0.8-2ubuntu2 => 1.0.8-2ubuntu2.1 * fwupd-signed: 1.40+1.5.11-0ubuntu2 => 1.42~ubuntu21.10.2+1.2-2~21.10.1 * fwupd: 1.5.11-0ubuntu2 => 1.7.5-3~21.10.1 * git: 1:2.32.0-1ubuntu1 => 1:2.32.0-1ubuntu1.2 * gzip: 1.10-4ubuntu1 => 1.10-4ubuntu1.1 * landscape-client: 19.12-0ubuntu10 => 19.12-0ubuntu10.1 * libarchive: 3.4.3-2ubuntu0.1 => 3.4.3-2ubuntu0.2 * libjcat: 0.1.3-2build1 => 0.1.4-0ubuntu0.21.10.1 * libsepol: 3.1-1ubuntu2 => 3.1-1ubuntu2.1 * libxml2: 2.9.12+dfsg-4 => 2.9.12+dfsg-4ubuntu0.2 * linux-meta: 5.13.0.35.44 => 5.13.0.44.53 * linux-signed: 5.13.0-35.40 => 5.13.0-44.49 * logrotate: 3.18.0-2ubuntu1 => 3.18.0-2ubuntu1.1 * needrestart: 3.5-4ubuntu2 => 3.5-4ubuntu2.1 * netplan.io: 0.103-0ubuntu7.2 => 0.104-0ubuntu2~21.10.1 * networkd-dispatcher: 2.1-2 => 2.1-2ubuntu0.21.10.2 * openldap: 2.5.6+dfsg-1~exp1ubuntu1 => 2.5.6+dfsg-1~exp1ubuntu1.1 * openssl: 1.1.1l-1ubuntu1.1 => 1.1.1l-1ubuntu1.3 * pcre3: 2:8.39-13build3 => 2:8.39-13ubuntu0.21.10.1 * rsyslog: 8.2102.0-2ubuntu2 => 8.2102.0-2ubuntu2.2 * snapd: 2.54.3+21.10.1ubuntu0.2 => 2.54.3+21.10.1ubuntu0.3 * sosreport: 4.2-1ubuntu0.21.10.1 => 4.3-1ubuntu0.21.10.1 * sqlite3: 3.35.5-1 => 3.35.5-1ubuntu0.1 * systemd: 248.3-1ubuntu8.2 => 248.3-1ubuntu8.6 * twisted: 20.3.0-7ubuntu1 => 20.3.0-7ubuntu1.1 * tzdata: 2021e-0ubuntu0.21.10 => 2022a-0ubuntu0.21.10 * ubuntu-advantage-tools: 27.6~21.10.1 => 27.8~21.10.1 * ubuntu-release-upgrader: 1:21.10.8 => 1:21.10.9 * xz-utils: 5.2.5-2 => 5.2.5-2ubuntu0.1 * zlib: 1:1.2.11.dfsg-2ubuntu7 => 1:1.2.11.dfsg-2ubuntu7.1 The following is a complete changelog for this image. new: {'libmbim-proxy': '1.24.8-1', 'libtcl8.6:amd64': '8.6.11+dfsg-1', 'linux-headers-5.13.0-44-generic': '5.13.0-44.49', 'linux-modules-5.13.0-44-generic': '5.13.0-44.49', 'modemmanager': '1.16.6-2', 'libqmi-glib5:amd64': '1.28.6-2ubuntu1', 'libmm-glib0:amd64': '1.16.6-2', 'usb-modeswitch': '2.6.1-1ubuntu4', 'tcl': '8.6.11+1build1', 'linux-headers-5.13.0-44': '5.13.0-44.49', 'libmbim-glib4:amd64': '1.24.8-1', 'libfwupdplugin5:amd64': '1.7.5-3~21.10.1', 'libqmi-proxy': '1.28.6-2ubuntu1', 'usb-modeswitch-data': '20191128-3', 'tcl8.6': '8.6.11+dfsg-1'} removed: {'linux-modules-5.13.0-35-generic': '5.13.0-35.40', 'linux-headers-5.13.0-35-generic': '5.13.0-35.40', 'linux-headers-5.13.0-35': '5.13.0-35.40'} changed: ['apport', 'apt', 'apt-utils', 'bind9-dnsutils', 'bind9-host', 'bind9-libs:amd64', 'cloud-init', 'command-not-found', 'curl', 'distro-info-data', 'dpkg', 'fwupd', 'fwupd-signed', 'git', 'git-man', 'gzip', 'landscape-common', 'libapt-pkg6.0:amd64', 'libarchive13:amd64', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libexpat1:amd64', 'libfribidi0:amd64', 'libfwupd2:amd64', 'libjcat1:amd64', 'libldap-2.5-0:amd64', 'libldap-common', 'liblzma5:amd64', 'libnetplan0:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libpcre3:amd64', 'libsepol1:amd64', 'libsqlite3-0:amd64', 'libssl1.1:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'libxml2:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.13.0-44-generic', 'linux-image-virtual', 'linux-virtual', 'logrotate', 'needrestart', 'netplan.io', 'networkd-dispatcher', 'openssl', 'python3-apport', 'python3-commandnotfound', 'python3-distupgrade', 'python3-problem-report', 'python3-twisted', 'python3-twisted-bin:amd64', 'rsyslog', 'snapd', 'sosreport', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'tzdata', 'ubuntu-advantage-tools', 'ubuntu-release-upgrader-core', 'udev', 'xz-utils', 'zlib1g:amd64'] new snaps: {} removed snaps: {} changed snaps: ['core20', 'lxd', 'snapd'] ==== apport: 2.20.11-0ubuntu71 => 2.20.11-0ubuntu71.2 ==== ==== apport python3-apport python3-problem-report * SECURITY UPDATE: Fix multiple security issues - test/test_report.py: Fix flaky test. - data/apport: Fix too many arguments for error_log(). - data/apport: Use proper argument variable name executable_path. - etc/init.d/apport: Set core_pipe_limit to a non-zero value to make sure the kernel waits for apport to finish before removing the /proc information. - apport/fileutils.py, data/apport: Search for executable name if one wan't provided such as when being called in a container. - data/apport: Limit memory and duration of gdbus call. (CVE-2022-28654, CVE-2022-28656) - data/apport, apport/fileutils.py, test/test_fileutils.py: Validate D-Bus socket location. (CVE-2022-28655) - apport/fileutils.py, test/test_fileutils.py: Turn off interpolation in get_config() to prevent DoS attacks. (CVE-2022-28652) - Refactor duplicate code into search_map() function. - Switch from chroot to container to validating socket owner. (CVE-2022-1242, CVE-2022-28657) - data/apport: Clarify error message. - apport/fileutils.py: Fix typo in comment. - apport/fileutils.py: Do not call str in loop. - data/apport, etc/init.d/apport: Switch to using non-positional arguments. Get real UID and GID from the kernel and make sure they match the process. Also fix executable name space handling in argument parsing. (CVE-2022-28658, CVE-2021-3899) * apport/ui.py: Error out when -w option is used on wayland (LP: #1952947). ==== apt: 2.3.9 => 2.3.9ubuntu0.1 ==== ==== apt apt-utils libapt-pkg6.0:amd64 * Only protect two kernels, not last installed one (LP: #1968154) * Point to impish in gitlab-ci and gbp.conf ==== bind9: 1:9.16.15-1ubuntu1.1 => 1:9.16.15-1ubuntu1.2 ==== ==== bind9-dnsutils bind9-host bind9-libs:amd64 * SECURITY UPDATE: cache poisoning via bogus NS records - debian/patches/CVE-2021-25220.patch: tighten rules for acceptance of records into the cache in lib/dns/resolver.c. - CVE-2021-25220 * SECURITY UPDATE: DoS via specially crafted TCP stream - debian/patches/CVE-2022-0396.patch: ensure correct ordering in lib/isc/netmgr/netmgr.c. - CVE-2022-0396 ==== cloud-init: 21.4-0ubuntu1~21.10.1 => 22.1-14-g2e17a0d6-0ubuntu1~21.10.3 ==== ==== cloud-init * d/p/cpick-eee60329-Fix-cloud-init-status-wait-when-no-datasource-found: cherry-pick eee60329: Fix cloud-init status --wait when no datasource found (#1349) (LP: #1966085) * cherry-pick 5e347d25: Revert "Ensure system_cfg read before ds net config on Oracle * d/patches/retain-apt-partner-pocket.patch: - Jammy dropped commented APT partner pocket. Retain this comment on stable releases. * d/apport-launcher.py fix format for unittests * d/cloud-init.templates: Move LXD to back of datasource_list * New upstream snapshot. (LP: #1961446) - check for existing symlink while force creating symlink (#1281) [Shreenidhi Shedi] - Do not silently ignore integer uid (#1280) - tests: create a IPv4/IPv6 VPC in Ec2 integration tests (#1291) - Integration test fix ppa (#1296) - tests: on official EC2. cloud-id actually startswith aws not ec2 (#1289) - test_ppa_source: accept both http and https URLs (#1292) [Paride Legovini] - Fix apt test on azure - add "lkundrak" as contributor [Lubomir Rintel] - Holmanb/integration test fix ppa (#1287) - Include missing subcommand in manpage (#1279) - Clean up artifacts from pytest, packaging, release with make clean (#1277) - sources/azure: ensure retries on IMDS request failure (#1271) [Chris Patterson] - sources/azure: removed unused saveable PPS paths (#1268) [Chris Patterson] - integration tests: fix Azure failures (#1269) - Release 22.1 (#1267) - sources/azure: report ready in local phase (#1265) [Chris Patterson] - sources/azure: validate IMDS network configuration metadata (#1257) [Chris Patterson] - docs: Add more details to runcmd docs (#1266) - use PEP 589 syntax for TypeDict (#1253) - mypy: introduce type checking (#1254) [Chris Patterson] - Fix extra ipv6 issues, code reduction and simplification (#1243) [eb3095] - tests: when generating crypted password, generate in target env (#1252) - sources/azure: address mypy/pyright typing complaints (#1245) [Chris Patterson] - Docs for x-shellscript* userdata (#1260) - test_apt_security: azure platform has specific security URL overrides (#1263) - tests: lsblk --json output changes mountpoint key to mountpoinst [] (#1261) - mounts: fix mount opts string for ephemeral disk (#1250) [Chris Patterson] - Shell script handlers by freq (#1166) [Chris Lalos] - minor improvements to documentation (#1259) [Mark Esler] - cloud-id: publish /run/cloud-init/cloud-id- files (#1244) - add "eslerm" as contributor (#1258) [Mark Esler] - sources/azure: refactor ssh key handling (#1248) [Chris Patterson] - bump pycloudlib (#1256) - sources/hetzner: Use EphemeralDHCPv4 instead of static configuration (#1251) [Markus Schade] - bump pycloudlib version (#1255) - Fix IPv6 netmask format for sysconfig (#1215) [Harald] - sources/azure: drop debug print (#1249) [Chris Patterson] - tests: do not check instance.pull_file().ok() (#1246) - sources/azure: consolidate ephemeral DHCP configuration (#1229) [Chris Patterson] - cc_salt_minion freebsd fix for rc.conf (#1236) - sources/azure: fix metadata check in _check_if_nic_is_primary() (#1232) [Chris Patterson] - Add _netdev option to mount Azure ephemeral disk (#1213) [Eduardo Otubo] - testing: stop universally overwriting /etc/cloud/cloud.cfg.d (#1237) - Integration test changes (#1240) - Fix Gentoo Locales (#1205) - Add "slingamn" as contributor (#1235) [Shivaram Lingamneni] - integration: do not LXD bind mount /etc/cloud/cloud.cfg.d (#1234) - Integration testing docs and refactor (#1231) - vultr: Return metadata immediately when found (#1233) [eb3095] - spell check docs with spellintian (#1223) - docs: include upstream python version info (#1230) - Schema a d (#1211) - Move LXD to end ds-identify DSLIST (#1228) - fix parallel tox execution (#1214) - sources/azure: refactor _report_ready_if_needed and _poll_imds (#1222) [Chris Patterson] - Vultr: Fix lo being used for DHCP, try next on cmd fail (#1208) [eb3095] - sources/azure: refactor _should_reprovision[_after_nic_attach]() logic (#1206) [Chris Patterson] - update ssh logs to show ssh private key gens pub and simplify code (#1221) [Steve Weber] - Remove mitechie from stale PR github action (#1217) - Include POST format in cc_phone_home docs (#1218) - Add json parsing of ip addr show (SC-723) (#1210) - cc_rsyslog: fix typo in docstring (#1207) [Louis Sautier] - Update .github-cla-signers (#1204) [Chris Lalos] - sources/azure: drop unused case in _report_failure() (#1200) [Chris Patterson] - sources/azure: always initialize _ephemeral_dhcp_ctx on unpickle (#1199) [Chris Patterson] - Add support for gentoo templates and cloud.cfg (#1179) [vteratipally] - sources/azure: unpack ret tuple in crawl_metadata() (#1194) [Chris Patterson] - tests: focal caplog has whitespace indentation for multi-line logs (#1201) - Seek interfaces, skip dummy interface, fix region codes (#1192) [eb3095] - integration: test against the Ubuntu daily images (#1198) [Paride Legovini] - cmd: status and cloud-id avoid change in behavior for 'not run' (#1197) - tox: pass PYCLOUDLIB_* env vars into integration tests when present (#1196) - sources/azure: set ovf_is_accessible when OVF is read successfully (#1193) [Chris Patterson] - Enable OVF environment transport via ISO in example (#1195) [Megian] - sources/azure: consolidate DHCP variants to EphemeralDHCPv4WithReporting (#1190) [Chris Patterson] - Single JSON schema validation in early boot (#1175) - Add DatasourceOVF network-config property to Ubuntu OVF example (#1184) [Megian] - testing: support pycloudlib config file (#1189) - Ensure system_cfg read before ds net config on Oracle (SC-720) (#1174) - Test Optimization Proposal (SC-736) (#1188) - cli: cloud-id report not-run or disabled state as cloud-id (#1162) - Remove distutils usage (#1177) [Shreenidhi Shedi] - add .python-version to gitignore (#1186) - print error if datasource import fails (#1170) [Emanuele Giuseppe Esposito] - Add new config module to set keyboard layout (#1176) [maxnet] - sources/azure: rename metadata_type -> MetadataType (#1181) [Chris Patterson] - Remove 3.5 and xenial support (SC-711) (#1167) - tests: mock LXD datasource detection in ds-identify on LXD containers (#1178) - pylint: silence errors on compat code for old jsonschema (#1172) [Paride Legovini] - testing: Add 3.10 Test Coverage (#1173) - Remove unittests from integration test job in travis (#1141) - Don't throw exceptions for empty cloud config (#1130) - bsd/resolv.d/ avoid duplicated entries (#1163) [Gonri Le Bouder] - sources/azure: do not persist failed_desired_api_version flag (#1159) [Chris Patterson] - Update cc_ubuntu_advantage calls to assume-yes (#1158) [John Chittum] - openbsd: properly restart the network on 7.0 (#1150) [Gonri Le Bouder] - Add .git-blame-ignore-revs (#1161) - Adopt Black and isort (SC-700) (#1157) - Include dpkg frontend lock in APT_LOCK_FILES (#1153) - tests/cmd/query: fix test run as root and add coverage for defaults (#1156) [Chris Patterson] - Schema processing changes (SC-676) (#1144) - Add dependency workaround for impish in bddeb (#1148) - netbsd: install new dep packages (#1151) [Gonri Le Bouder] - find_devs_with_openbsd: ensure we return the last entry (#1149) [Gonri Le Bouder] - sources/azure: remove unnecessary hostname bounce (#1143) [Chris Patterson] - find_devs/openbsd: accept ISO on disk (#1132) [Gonri Le Bouder] - Improve error log message when mount failed (#1140) [Ksenija Stanojevic] - add KsenijaS as a contributor (#1145) [Ksenija Stanojevic] - travis - don't run integration tests if no deb (#1139) - factor out function for getting top level directory of cloudinit (#1136) - testing: Add deterministic test id (#1138) - mock sleep() in azure test (#1137) - Add miraclelinux support (#1128) [Haruki TSURUMOTO] - docs: Make MACs lowercase in network config (#1135) - Add Strict Metaschema Validation (#1101) - update dead link (#1133) - cloudinit/net: handle two different routes for the same ip (#1124) [Emanuele Giuseppe Esposito] - docs: pin mistune dependency (#1134) - Reorganize unit test locations under tests/unittests (#1126) - Fix exception when no activator found (#1129) - jinja: provide and document jinja-safe key aliases in instance-data (SC-622) (#1123) - testing: Remove date from final_message test (SC-638) (#1127) - Move GCE metadata fetch to init-local (SC-502) (#1122) - Fix missing metadata routes for vultr (#1125) [eb3095] - cc_ssh_authkey_fingerprints.py: prevent duplicate messages on console (#1081) [dermotbradley] - sources/azure: remove unused remnants related to agent command (#1119) [Chris Patterson] - github: update PR template's contributing URL (#1120) [Chris Patterson] - docs: Rename HACKING.rst to CONTRIBUTING.rst (#1118) - testing: monkeypatch system_info call in unit tests (SC-533) (#1117) - Fix Vultr timeout and wait values (#1113) [eb3095] - lxd: add preference for LXD cloud-init.* config keys over user keys (#1108) - VMware: source /etc/network/interfaces.d/* on Debian [chengcheng-chcheng] - Add cjp256 as contributor (#1109) [Chris Patterson] - integration_tests: Ensure log directory exists before symlinking to it (#1110) - testing: add growpart integration test (#1104) - integration_test: Speed up CI run time (#1111) - Some miscellaneous integration test fixes (SC-606) (#1103) - tests: specialize lxd_discovery test for lxd_vm vendordata (#1106) - Add convenience symlink to integration test output (#1105) - Fix for set-name bug in networkd renderer (#1100) [Andrew Kutz] - Wait for apt lock (#1034) - testing: stop chef test from running on openstack (#1102) - alpine.py: add options to the apk upgrade command (#1089) [dermotbradley] ==== command-not-found: 21.10.0 => 21.10.1 ==== ==== command-not-found python3-commandnotfound [ Arnaud Rebillout ] * cnf: Bail out early if the database is not readable * cnf-update-db: Creates a world-readable database (Closes: #986461) * Add test to make sure that the database is world-readable [ Kellen Renshaw ] * Cherry-pick cnf-update-db umask fixes from 22.04 (LP: #1953610) ==== curl: 7.74.0-1.3ubuntu2 => 7.74.0-1.3ubuntu2.2 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: CERTINFO never-ending busy-loop - debian/patches/CVE-2022-27781.patch: return error if seemingly stuck in a cert loop in lib/vtls/nss.c. - CVE-2022-27781 * SECURITY UPDATE: TLS and SSH connection too eager reuse - debian/patches/CVE-2022-27782.patch: check more TLS details for connection reuse in lib/setopt.c, lib/url.c, lib/urldata.h, lib/vtls/gtls.c, lib/vtls/openssl.c, lib/vtls/nss.c, lib/vtls/vtls.c, lib/vssh/ssh.h. - CVE-2022-27782 * SECURITY UPDATE: OAUTH2 bypass - debian/patches/CVE-2022-22576.patch: check sasl additional parameters for conn resuse in lib/strcase.c, lib/strcase.h, lib/url.c, lib/urldata.h, lib/vtls/vtls.c. - CVE-2022-22576 * SECURITY UPDATE: Credential leak on redirect - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port in the info struct to make it available after the connection ended in lib/connect.c, lib/urldata.h. - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols or ports clear auth in lib/transfer.c. - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify these fix in tests/data/Makefile.inc, tests/data/test973, tests/data/test974, tests/data/test975, tests/data/test976. - CVE-2022-27774 * SECURITY UPDATE: Bad local IPV6 connection reuse - debian/patches/CVE-2022-27775.patch: include the zone id in the 'bundle' haskey in lib/conncache.c. - CVE-2022-27775 * SECURITY UPDATE: Auth/cookie leak on redirect - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects same host diff port in lib/http.c, lib/urldata.h. - CVE-2022-27776 ==== distro-info-data: 0.51ubuntu1.1 => 0.51ubuntu1.2 ==== ==== distro-info-data * Add Ubuntu 22.10, Kinetic Kudu (LP: #1970227) ==== dpkg: 1.20.9ubuntu2 => 1.20.9ubuntu2.2 ==== ==== dpkg * SECURITY UPDATE: Directory traversal issue in dpkg-source - scripts/Dpkg/Source/Archive.pm, scripts/t/Dpkg_Source_Archive.t: Prevent directory traversal for in-place extracts. - CVE-2022-1664 * scripts/Dpkg/Vendor/Ubuntu.pm: When checking for the correct maintainer field, also look for canonical.com email addresses (LP: #1951988) ==== expat: 2.4.1-2ubuntu0.1 => 2.4.1-2ubuntu0.3 ==== ==== libexpat1:amd64 * SECURITY UPDATE: Stack exhaustion - debian/patches/CVE-2022-25313.patch: prevent stack exhaustion in build_model in expat/lib/xmlparse.c. - debian/patches/fix-build_model-regression.patch: fix build_model regression in expat/lib/xmlparse.c. - debian/patches/protect-against-nested-element*: in expat/lib/xmlparse. - CVE-2022-25313 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25314.patch: prevent integer overflow in copyString in expat/lib/xmlparse.c. - CVE-2022-25314 * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2022-25315.patch: prevent integer overflow in storeRawNames in expat/lib/xmlparse.c. - CVE-2022-25315 * SECURITY UPDATE: relax fix to CVE-2022-25236 with regard to RFC 3986 URI characters and possibly regressions - debian/patches/CVE-2022-25236-3.patch: add a note on namespace URI validation in expat/doc/reference.html, expat/lib/expat.h. - debian/patches/CVE-2022-25236-4.patch: document namespace separator effect right in header expat/lib/expat.h. - debian/patches/CVE-2022-25236-5.patch: cover relaxed fix in tests. - debian/patches/CVE-2022-25236-6.patch: relax fix with regard to RFC 3986 URI characters in expat/lib/xmlparse.c. (LP: #1963903) ==== fribidi: 1.0.8-2ubuntu2 => 1.0.8-2ubuntu2.1 ==== ==== libfribidi0:amd64 * SECURITY UPDATE: Incorrect length checking in processing of line input could result in a stack buffer overflow, resulting in a crash or potential code execution. - debian/patches/CVE-2022-25308.patch: add checking to length of string buffer before processing in bin/fribidi-main.c - CVE-2022-25308 * SECURITY UPDATE: Insufficient sanitization of input data to the CapRTL encoder could result in a heap buffer overflow, resulting in a crash or potential code execution. - debian/patches/CVE-2022-25309.patch: add checking and removal of dangerous characters before encoding stage, in lib/fribidi-char-sets-cap-rtl.c - CVE-2022-25309 * SECURITY UPDATE: Incorrect handling of string pointer can result in a crash in fribidi_remove_bidi_marks(). - debian/patches/CVE-2022-25310.patch: add checking for NULL strings, to avoid potential use-after-free in lib/fribidi.c - CVE-2022-25310 ==== fwupd: 1.5.11-0ubuntu2 => 1.7.5-3~21.10.1 ==== ==== fwupd libfwupd2:amd64 * Backport 1.7.5-3 from jammy to impish. * Support several new devices (LP: #1949412, LP: #1954965, LP: #1953573) * fwupd / fwupd-efi source package split (LP: #1955386) * Don't install new fwupd-unsiged by default. (LP: #1960783) * debian/tests: - Disable blocking container virtualization only for autopkgtest * Backport a series of patches that fix autopkgtest failures in Debian and Ubuntu. * Backport a patch to avoid running fwupd-refresh in containers. * New upstream version (1.7.5) - Enable modem manager plugin by default * Drop efivar compatibility patch, upstream * backport a patch to fix dell wd19 TBT updates * backport a patch for community messaging issue * Backport a patch to allow falling back to signed binary if unsigned binary not present * Drop fwupd-unsigned from Recommends * Add hard dependencies on libfwupd2 and libfwupdplugin5 built with us. Symbols suggest things should work, but maybe not. :-( Closes: #1003664 * New upstream version (1.7.4) * Drop manpages section patch, upstream * Add a patch that fixes compilation with newer efivar * New upstream version (1.7.3) * ignore subprojects and build directory from upstream builds in same folder * Update symbols and shared library name * drop lintian overrides for EFI binary, gone from the split * use wildcards in lintian override for library-not-linked-against-libc * drop unused debian/source/include-binaries * Add Rules-Requires-Root clause * Fix man page location * disable logitech bulk controller on ubuntu by default * disable logitech bulk controller on ubuntu by default * add dual license nature of dell-dock plugin to debian/copyright [ Mario Limonciello ] * New upstream version (1.7.1) * Update debian/control and debian/copyright for changes upstream * Drop all patches, upstream * Packaging changes for the split into fwupd/fwupd-efi. [ Steve McIntyre ] * Update Mario's email address in debian/control * Move manpages into section 8, fix lintian warnings. * Change dependency versioning strategy for the signed fwupd packages to make them binNMU friendly. Closes: #973715 * Similarly change versioning used for Built-Using. Closes: #992910 * Multiple fixes for working with UEFI SBAT * Backport a patch to fix regression in fwupdtool activate * Backport a patch to fix activatable devices getting stuck in an update loop * Rebuild to pick up new signing keys. * Backport a patch to fix FTBFS on armhf for SBAT * New upstream version (1.5.7) - Fixes issues with SBAT on UEFI. * Fixes dependencies for -dev packages: Closes: #980691, #980684 [ Steve McIntyre ] * Fix up Uploaders for the -signed packages - remove Jared, add Matthias [ Mario Limonciello ] * New upstream version (1.5.6) * drop all upstream patches * fwupd.postinst: Adjust to read /etc/os-release instead of `/etc/lsb-release` * New upstream version (1.5.5) * trivial: debian: migrate uefi->uefi_capsule in uefi.conf * trivial: debian: fix modules-load.d directory * trivial: debian: add dbus to recommends (Closes: #980049) * Backport 2 patches for continual "Unknown" message on new connections * trivial: debian: read /etc/lsb-release instead of dpkg-dev (Closes: #977860, #977861, #970783) * trivial: debian: only install fwupd-msr.conf if needed * New upstream version (1.5.3) * Drop all patches (upstream) * Follow defaults for nvme and redfish plugins (don't need efivar now) * debian/control: - Drop libsoup build dependency - Add libcurl build dependency - Add systemd build dependency * Migrate debian/fwupd.preinst content to debian/fwupd.maintscript * Backport patch to fix ppc64el autopkgtest failure * trivial: debian: disable downloading from LVFS in autopkgtest * Add breaks for fwupdate 12-7 (Closes: #960688) * trivial: debian: add git to fwupdate-tests dependencies [ Mario Limonciello ] * Backport a patch to indicate if packages are supported or not * backport a patch to fix autopkgtests on ppc64el * trivial: debian: don't hardcode paths in libexec * trivial: debian: disable msr plugin on all !x86 [ Jessica Clarke ] * debian: Check DEB_HOST_ARCH_CPU not DEB_HOST_ARCH for MSR plugin * debian: Prefer Makefile substitution over shell substitution * debian: Use if/else rather than overriding default values * debian: Drop pointless dh_shlibdeps override * debian: Check for valgrind in Makefile not shell and don't hard-code path * debian: Fix dangerous lack of set -e * debian: Fix another instance of unusual ifeq syntax * debian: Build up CONFARGS list rather than individual variables * debian: Fix another dangerous missing set -e * debian: Use uniform spacing around semicolons * debian: Avoid looking like a set -e is missing * debian: Remove unnecessary ./ use * debian: Add quotes around glob * New upstream version (1.5.1) * Drop backported patches * Add udisks2 to recommends * Backport a patch to fix a crash when udisks2 is missing (Closes: #970054) * Disable flashrom for ia64 * New upstream version (1.4.6) * New upstream version (1.4.5) * Drop flashrom patch, now upstream * Regenerate control file - Refresh dependencies for 1.4.x - Drop Jared as uploader * Stop generating debian/control automatically at build time * Add build-dep on libflashrom-dev * New upstream stable release: - Add more module types for the Dell dock - Fix the TPM PCR0 calculation - Check for free space after cleaning up ESP * New upstream stable release: - Actually reload the DFU device after upgrade has completed - Capture the dock SKU in report metadata - Correctly set the Logitech device protocol - Do not use shim for non-secure boot configurations - Ensure that the DeviceID is set for child devices - Fix an error when detaching MSP430 - Fix the DeviceID set by GetDetails - Force the prometheus minor version from 0x02 to 0x01 to fix updates - Parse the CSR firmware as a DFU file - Prevent dell-dock updates to occur via synaptics-mst plugin - Rather than hardcoding thunderbolt to PCI slot numbers, use domain in GUID - Remove a dock device from the whitelist that is never going to be updated - Validate that gpgme_op_verify_result() returned at least one signature - Wait for the cxaudio device to reboot after writing firmware * Drop following patches, now incorporated upstream: - Thunderbolt: create correct GUID for dual controller devices - CSR: Fix parsing - Motd: Fix refresh target to be network.target - Logitech: Fix error in logs on unsigned devices and set protocol for signed devices properly. - Fix a FTBFS on empty /etc/machine-id in some buildd environments. * Backport a handful of patches from 1_3_X branch: - Thunderbolt: create correct GUID for dual controller devices - CSR: Fix parsing - Motd: Fix refresh target to be network.target - Logitech: Fix error in logs on unsigned devices and set protocol for signed devices properly. - Fix a FTBFS on empty /etc/machine-id in some buildd environments. (LP: #1870051) * Backport a patch from upstream to not use shim on non-secure boot installs. - Helps avoid hitting a shim regression. * Backport a patch to correct an error with shutdown script. * Enable flashrom plugin for Debian. - This is turned off for Ubuntu for now since flashrom is in universe. [ Mario Limonciello ] * New upstream stable release (1.3.9) - Moves some binaries from usr/libexec into usr/bin - Adds fish completion script. - Inhibit all power management actions using logind when updating * Bug fixes: - Always check for PLAIN when doing vercmp() operations - Always return AppStream markup for remote agreements - Apply UEFI capsule update even with single valid capsule - Check the device protocol before de-duping devices - Copy the version and format from donor device in get-details - Correctly append the release to devices in `fwupdtool get-details` - Decrease minimum battery requirement to 10% - Discard the reason upgrades aren't available - Do not fail loading in /etc/machine-id is not available - Fix a critical warning when installing some firmware - For the `get-details` command make sure to always show devices - Set the MSP430 version format to pair - Switch off the ATA verbose logging by default - Use unknown for version format by default on get-details * Drop all existing patches. [ Laurent Bigonville ] * debian/control.in: Add libglib2.0-doc to Build-Depends-Indep * Move the daemons from /usr/lib/fwupd to /usr/libexec/fwupd * debian/*.symbols: Add the Build-Depends-Package field * New upstream version (1.3.8) * Drop all existing patches * Backport patches for: - battery level threshold adjustment (30%->10%) - A logic error with report uploading * Update standards version * Backport some patches from upstream. - Revert a commit to fix UEFI updates hanging on many Dell systems. - Adjust motd output to contain more whitespace * Backport a patch to fix fwupd-refresh.service (Fixes: #950407, Fixes: #950408) * New upstream version (1.3.7) * New upstream version (1.3.6) - Fixes shutdown failed with exit 2 (Fixes: #947205) - Fixes motd issue, requires newer systemd though as well (Fixes: #943343) * Drop all patches from previous upload, now upstream. * New upstream version (1.3.5) * Introduce new binary packages for new library libfwupdplugin, allowing out of tree plugin builds. * trivial: debian: remove obj-* built files to fix back to back builds * trivial: ci: debian: enable verbose daemon logging for failure analysis * Backport some patches to improve autopkgtest debugging * New upstream version (1.3.4) * d/c: Only include TSS dependencies on architectures building EFI plugin. * Backport a patch to allow confined snaps to activate fwupd * backport a patch to fix fastboot plugin on DW5821e * backport a patch to only use mingw-w64-tools in archs with EFI * New upstream version (1.3.3) * Backport patch to skip transient self test failure in polling * Disable fwupd-refresh.service by default (Closes: #942630) * backport patch for fwupd-refresh: don't try to enable LVFS if disabled (Closes: #942568) * fwupd-refresh: backport a series of patches that essentially turns off motd refresh unless running on a very new systemd (v243) due to systemd v242 bug. (Closes: #942567) * cleanup symlink from broken 1.3.2-1 if fwupd-refresh was started * backport path for fwupd-refresh: fix a clash with fwupd.service (Closes: #941360) (Closes: #941661) * debian/control*: Update for fwupdate transition * New upstream version (1.3.2) - Allow not prompting for metadata every time (Closes: #941048) - Avoid resetting display every login with Dell docks (LP: #1793965) - Provides a network service file (Closes: #921820) - Description is clearer (Closes: #911505) - Wacom failures don't occur (Closes: #915794) - Xbox360 controllers keep working (Closes: #920012) * Uses libtss2-dev at build time and switches to TSS for runtime rather than tpm2-tools/tpm2-abrmd. [ Steve McIntyre ] * Add Built-Using for the fwupd-*-signed packages. Closes: #932757 * New upstream version (1.2.10) * New upstream version (1.2.9) * New upstream version (1.2.6) * debian/control: - Add new build depends related to Modem Manager * debian/gen_signing_json: Update the format of the json metadata to match new requirements: + Move all the data under a new top-level "packages" key + Add an empty "trusted_certs" key - our binaries do not do any further verification with an embedded key. * New upstream version (1.2.5) * Drop all patches, upstream * Backport a patch from master that fixes FTBFS with newer glib * debian: explicitly depend on shared-mime-info * New upstream version * refresh build dependencies * Recommends on tpm2 stack to read PCR values * New upstream version * Move location of fwupd-SIGNARCH-signed.install to proper directory to fix generation of signed packages. * New upstream release. * New upstream release - Fixes ESP autodetection for autofs (Closes: #906216) - Adds missing signing bits (Closes: #906599) * debian/rules: - Pass -a into dh_missing (Closes: #906357) * debian/control: - Recommends for bolt for new thunderbolt power API - Build depends on Noto fonts instead of Dejavu fonts * Drop all patches. * New upstream release. - Adds support for more Synaptics and Intel hardware. - Fixes firmware update on some UEFI implementations (Closes: #905570) * debian/ - contrib: debian: regenerate control on clean - refresh debian/{control,copyright} for upstream fixes - drop all patches, upstream. * Correct another syntax error in SB signing template (Closes: #905482) * correct secure boot signing template name (Closes: #905471) * Fix secure boot signing template version string (Closes: #905468) * Refresh debian/copyright (Closes: #904671) * debian/rules: dynamically install EFI binaries * debian/rules: use pkg-config to determine when to turn on redfish and UEFI - Fixes FTBFS due to redfish on other architectures. * Fix the filename of the signed archive used for secure boot on Ubuntu * Only build uefi plugin on supported architectures [ Steve Mcintyre ] * Initial support for UEFI Secure Boot in Debian infrastructure + When building, also generate a fwupdate-$ARCH-signed-template package which contains metadata needed by the Debian signing service. This will end up being turned into a new source package including a signed version of the fwupdate binary. [ Mario Limonciello ] * New upstream version (1.1.0) * Drop patches merged upstream. * debian/control: - Add a patch from upstream that will add gnu-efi to dependencies - No longer recommends for fwupdate as it has been merged into fwupd. * Adjust infrastructure for fwupdate signed package to be used by fwupd signed package * New upstream version (1.0.8) - Adds new fwupdtool - License is now LGPL 2.1 - Drops colorhug dependency (built in now) - refresh symbols * New upstream version (1.0.7) * /debian changes: - ignore library-not-linked-against-libc - Remove unused override in debian/lintian/fwupd - rename tag for debian/source/lintian-overrides - Adjust to use https in debian/copyright - Bump debian/compat to 10 - Update control version - update standards version [ Mario Limonciello ] * New upstream version (1.0.6) * Move git repo from alioth to salsa.d.o * contrib/ci: Detect machine type when generating debian/control * New upstream version. * Build depend on fwupdate 10-3 for efivar 34 transition. * Drop previous patch, now upstream. * Revert previous patch (still didn't help with autopkgtest). * Introduce a different patch for helping autopkgtest failures. * Backport a patch that should fix autopkgtest failures. * New upstream version. * New build dependency: libjson-glib-dev (>= 1.1.1) * Update symbols * New upstream version. * Drop patch for appstream glib 0.7.4 dependency * New upstream version * Drop patch for doing libsmbios on only supported architectures, now upstream. * Only do libsmbios-dev build-depend on supported architectures * debci: remove unnecessary dbus start command * New upstream version (1.0.1) * Generate debian/control dynamically based on XML build dependencies declared from upstream CI builder. * Drop all patches, upstream. * debian: re-generate debian/control in clean rule * Build depend on appstream-glib 0.7.4. * debian/debci: shuffle dependency location * debian/debci: add explicit dependency on policykit-1 for the test * minor correction to changelog * debci: use the needs-root restriction * debian: update standards version * Backport a patch from upstream which fixes FTBFS on alpha and hppa (Closes: #879022) * Don't use dpkg-reconfigure in CI script. [ Mario Limonciello ] * new upstream version (1.0.0) * remove /etc/fwupd.conf on upgrade * fix missing-call-to-dpkg-maintscript-helper * update debci configuration * drop libebitdo transitional packages * try to fix debci * update standards version * explicitly set section for libfwupd2 * run systemd in postinst (Closes: #877991) * Drop patches. [ Richard Hughes ] * Do not install the libdfu helper library * Backport a patch to fix FTBFS on big endian architectures. [ Mario Limonciello ] * New upstream version (0.9.7) [ Mario Limonciello ] * trivial: debian: clarify why installed tests get installed in a generic directory (Closes: #872458) * trivial: fix some insignificant debian linitan warnings * trivial: debian: add autopkgtest tests to run the CI suite [ Max Ehrlich ] * Add a python script to create fwupd compatible cab files from Microsoft .exe files [ Christian Kellner ] * tbtfwu: remove references to legacy thunderbolt plugin [ Mario Limonciello ] * trivial: debian: update for --enable-synaptics * trivial: debian: only modify /etc/fwupd.conf in CI context [ Richard Hughes ] * trivial: post release version bump * trivial: Fix the colord version check in the example spec file * Add --version option to fwupdmgr * uefi: Fix crash when the product name is NULL * trivial: Never compare a string against zero to avoid warnings * unifying: Don't log a warning when an unknown report is parsed * trivial: Include all the GTypes in the generated docs * Check all the device GUIDs against the blacklist when added * Fix a hang on 32 bit computers * trivial: Fix a -Wsign-compare warning on 32 bit * trivial: Fix spelling of delimiter * trivial: Make fu_dell_detect_dock() slightly more NULL-deref safe * libdfu: Fix a crash if elf32_newehdr() fails * trivial: Remove or downgrade some superfluous warnings * trivial: Fix self tests after downgrading warnings commit * Run the plugin coldplug methods in a predictable order * trivial: Fix a tiny leak in the Dell plugin * dell: Fix the last of the memory leaks in the self tests * Use new GUsb functionality to fix flashing Unifying devices * unifying: Fix trivial error handler warning * trivial: Allow setting the unifying bootloader address for self tests * unifying: Make sure the percentage completion goes from 0% to 100% * trivial: Fix two tiny leaks in fwupdmgr * Support embedded devices with local firmware metadata * Rename the thunderbolt plugin to tbtfwu * trivial: Use warning_level in the top level meson file * libdfu: Add DfuPatch * Release fwupd 0.9.6 [ Mario Limonciello ] * trivial: debian: Add libcairo-dev to build-dependencies * Display UEFI firmware type * trivial: Adjust get-devices output order * Include optional git checkout information in --version * trivial: set FWUPD_GIT_DESCRIBE even if git isn't installed * uefi,dell: make error messages from installing capsules useful * uefi: record boot variables to system log during updates (#152) * trivial: uefi: whitespace * dell, uefi: Display all errors recorded by efi_error tracing, not just the first one * uefi: test for kernel support during coldplug * trivial: back the requirement on appstream-glib to 0.6.9 * trivial: packaging: lower appstream-glib requirements to match meson.build * trivial: correct version comparison for polkit 0.114 in meson.build * policy: fix compilation on a variety of configurations * trivial: debian: back off polkit-1 dependency * trivial: Add a Dockerfile for Ubuntu zesty (17.04) * trivial: move compilation instructions to github wiki * Default to "en" for UEFI capsule graphics * trivial: debian: move DFU introspection to it's own package * trivial: debian: correct some linitian errors about fwupd-tests * trivial: debian: add missing dh-strip-nondeterminism dependency * trivial: debian: update standards version * trivial: debian: remove transient items on purge (Closes: #868464, #868465) * trivial: debian: recursively cleanup on purge * trivial: fix various spelling errors * debian: run lintian as part of CI * Add capability to enable test suite via /etc/fwupd.conf * rpm: enable test suite via /etc/fwupd.conf * debian: enable test suite via /etc/fwupd.conf * trivial: clarify delimitter in use for fwupd.conf is a semicolon * trivial: adjust get-details and get-devices output Display Name output * trivial: set engine back to idle * Correct a memory leak in Dell plugin (Fixes #158) * trivial: fix some more memory leaks in dell plugin (#158) * dell: use plugin hash table instead * Revert "trivial: fix some more memory leaks in dell plugin (#158)" * trivial: debian: correct duplicate descriptions in control file * fix some more memory leaks in dell plugin (#158) * Add information about compile-time dependency versions * Drop all patches in debian/patches [ Patrick Ohly ] * meson: introspection optional [ Chris Lee ] * Make flashing ebitdo devices actually work * Upload to unstable [ Mario Limonciello ] * New upstream version (0.9.5) * deb packaging: cleaner locale fix * fix typo in contrib/debian/rules * Adjust debian dependencies * split out the test suite to it's own package * use dpkg-divert to adjust the launch script for CI testing * Fix long changelog in 0.9.4-1 * move DFU introspection to it's own package * add missing dh-strip-nondeterminism dependency * debian: update standards version * Backport fix to build capsule graphics in right language * Backport patch to allow enabling test suite via conf file. [ Richard Hughes ] * Add an AppStream metainfo file * Add an installed test for verification * New upstream version (0.9.4) * Drop all existging patches (now upstream) * Backport a patch to fix test suite. * Correct a cleanup rule * Drop intltool build dependency * Re-enable PIE for builds * Add additional build dependencies that will be needed for generating capsule graphics * debian/control: sort build-dependencies * Drop packaging from debian/, it will be git mv'ed from contrib/ upstream * Move Debian packaging from contrib/ upstream * Set locale to C.UTF-8 during build to fix unicode file error. [ Iain Lane ] * debian/rules: Use debhelper's built in meson support. (Closes: #863822) [ Mario Limonciello ] * Move the daemon back out of multiarch directory. * Disable DELL plugin on non x86 * Correct permissions on polkit rules * Explicitly depend upon >= debhelper 10.3 to ensure it's pulled from experimental on buildd too. * add explicit dep on policykit-1 0.105-17 to fix FTBFS due ITS rules * use dh_missing as dh_install --fail-missing is deprecated * Explicit dependency upon systemd too. * New upstream version (0.9.2) (Closes: #863250) * drop debian/patches * Add support for meson build system - Specify sysconfdir and libexecdir - call tests with ninja - Add local state directory while building * Require newer gettext for building. * Add 0.6.13 as libappstream-glib minimum version * Bump udev b-d to 231 for systemd confinement changes * Backport patch to fix detection of Dell systems [ Richard Hughes ] * trivial: post release version bump * trivial: Sync example spec file with downstream * Add DFU quirk for SIMtrace * Add DFU quirk for OpenPICC * Create directories in /var/cache as required * trivial: Fix the log domains in two plugins * trivial: No not list the API version indexes * trivial: Don't change the documentation output every time the version changes * trivial: Fix the last -Wpointer-sign warning * trivial: Change the name of a generated file * trivial: Remove non-warning flags from the CFLAGS * Use a 60 second timeout on all client downloads * Support proxy servers in fwupdmgr * Set the source origin when saving metadata * Add a config option to allow runtime disabling plugins by name * Fix the Requires lines in the dfu pkg-config file * Release fwupd 0.8.2 [ Mario Limonciello ] * trivial: install /var/lib/fwupd in make install (#94) * trivial: allow configuring ESP location (#94) * trivial: make valgrind an optional build dependency * trivial: make /boot/efi an optional ReadWritePath (#97) * trivial: set synaptics error message in more scenarios * Drop upstream patches. [ Shea Levy ] * Only try to mkdir the localstatedir if we have the right permissions (#96) [ AsciiWolf ] * Update Czech translation * Backport upstream commit to make valgrind optional (Closes: #856344) * Backport upstream commit to make /boot/efi optional to start fwupd.service. * Disable optional thunderbolt support until ITP is done. * New upstream version (0.8.1). - Fixes systemd confinement crashes (Closes: #856145) (LP: #1663548) * loosen dependencies on libefivar-dev and libfwup-dev * Optionally enable thunderbolt * Only build synaptics on supported arch (fixes FTBFS) * New upstream version (0.8.0) * Refresh symbols. * Drop all now upstream patches. * Enable build hardening flags * Drop valgind build dependency from m68k * Fix fwupd process leaking into dbus cgroup (Closes: #845406) * Backport a patch to make sure that appstream metadata validates properly. (Closes: #837765) * Drop armel from libfwup-dev build dependency architecture list. * Drop valgrind build dependency for mipsel, mips64el, armhf, and armel where it is segfaulting. * New upstream version (0.7.4) * Update symbols file. * drop binary patches * Drop existing upstream patches * Add a patch that verifies providers are called with proper mode * debian/control: - Update dell email addresses (_ -> .) - Add an explicit build dependency on new version of efivar - Add build dep on gir1.2-appstreamglib-1.0 * debian/rules: - Adjust architectures that tests are run for missing valgrind - Add autoconf archive to build-depends (Closes: 837826) - Adjust daemon install path to be non multi-arch (Closes: #808831) * Backport patch to make sure test suite runs without sysfs bind mounted. * Mark fwupd-doc package as Multi-Arch: foreign. * New upstream version (0.7.3) * debian/rules: Adjust launch of test suite due to 4eb527 * Drop wheel/sudo patch, and instead make change in debian/rules at build. * Update Vcs-Git URL to secure URL * Update standards version * Add libsmbios-dev to build dependencies for Dell features * Drop gtk-doc documentation into new package fwupd-doc * Add new packages for lib0bitdo support * require building against libfwup 7 * Backport patch to allow building on older appstream-glib * Add a lintian override for fuzzing tests * add gir:depends for libdfu1 * don't install ebitdo-tool helper tool * Backport patches for s390x failures. - include binary patch of example.elf * set libsmbios to i386/amd64 only * Add lintian override for systemd services missing Install. * Add libelf-dev to build-depends. [ Mario Limonciello ] * New upstream version (0.7.2) * Drop unnecessary patches now upstream. * Add gobject-introspection to build dependencies [ Michael Biebl ] * Split GObject introspection files into a separate package named gir1.2-fwupd-1.0. (Fixes: #826743) [ Jurica Stanojkovic ] * Disable test suite on mips to prevent FTBFS. Fixes: #826251) * New upstream version (0.7.0) * Install static app-info file for fwupd * Drop alienware version quirk table patch included upstream * Update headers installed for libdfu-dev * Use correct dpkg-architecture variable to apply -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE * Block builds on test suite failures * update libgusb requirement in debian/control * update symbols * Backport commits from upstream to fix problems on big endian * Backport commit to remove requirement for gnupg 2.1 * Backport UEFI naming to DMI Product Name from master. * Set HOME to current directory for the test suite to run properly on buildd * Stop gpg-agent process that persists after test suite run (Closes: #820669) * New upstream release (0.6.3) * Enable quirked firmware versions on Alienware as well * Conditionally enable colorhug if a new enough version is available. This will allow for easier backporting in the future * update standards version * Only build against libfwup-dev on x86 and arm architectures * add armel to supported architectures too * Explicitly turn off UEFI if libfwup-dev wasn't installed to fix FTBFS on these other architectures. * Fix FTBFS on powerpc related to GPGME * Update build-depends to libasppstream-glib-dev 0.5.10 * Add symbols files for libfwupd and libdfu1 * Adjust build depends to ensure building with at least gnupg 2.1.0 * Add libtool-bin into build-depends * Re-enable test suite (but don't block additional failures) * Include plugins not compiled in as providers in install * Install static app-info file for fwupd * Use dh_install --fail-missing to catch other things added upstream at build time * Backport patches from upstream that fix the test suite as a non-root user * New upstream release (0.6.2) - Fixes for Dell HW versions and UEFI get-results. * Set polkit rules to be effective with proper group (Closes: #808832) * Add rules compatible with polkit 0.105. (Closes: #808833) * New upstream release (0.6.0) - Adds support for DFU based flashing. * Generate libdfu* packages for the newly included libdfu support * Update copyright for current source * Rename fwupd-dev to the more conventionally named libfwupd-dev * update appstream-glib version requirement * add gtk-doc-tools to build depends and cleanup after using them. * New upstream release (0.5.4). - Adds support for compiling against fwupdate 0.5. * Fix FTBFS on armhf by passing -D_FILE_OFFSET_BITS=64 as well. * Add build dependency on udev. (Closes: #804279) * Fix hardening flags. * New upstream release (0.5.3) * Drop all patches, now upstream. * debian/control: Update build dependencies for new upstream version. * Initial release (Closes: #793446) ==== fwupd-signed: 1.40+1.5.11-0ubuntu2 => 1.42~ubuntu21.10.2+1.2-2~21.10.1 ==== ==== fwupd-signed * remove fwupd-unsigned from the Recommends of fwupd-signed. This is backported from v1.43 (LP: #1960783) [ Yuan-Chen Cheng ] * backport for impish. (LP: #1949412, LP: #1955386) [ ukasz 'sil2100' Zemczak ] * debian/control: adjust the fwupd-unsigned dependency to support source-copy backports (>= 1.1-3~ instead of 1.1-3). * Adjust dependency requirements. Since the package is decoupled from fwupd now, the version it needs to depend on doesn't need to match the package version. * Build depends on fwupd-unsigned 1:1.1-3 (LP: #1955386) * Adjust download script to download candidate version instead of from "current" symlink ==== git: 1:2.32.0-1ubuntu1 => 1:2.32.0-1ubuntu1.2 ==== ==== git git-man * SECURITY REGRESSION: Previous update was incomplete causing regressions and not correctly fixing the issue. - debian/patches/CVE-2022-24765-5.patch: fix safe.directory key not being checked in setup.c. - debian/patches/CVE-2022-24765-6.patch: opt-out of check with safe.directory=* in setup.c. (LP: #1970260) * SECURITY UPDATE: Run commands in diff users - debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add an owner check for the top-level-directory; add a function to determine whether a path is owned by the current user in patch.c, t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h, git-compat-util.h. - CVE-2022-24765 ==== gzip: 1.10-4ubuntu1 => 1.10-4ubuntu1.1 ==== ==== gzip * SECURITY UPDATE: arbitrary file override with crafted file names - debian/patches/CVE-2022-1271-1.patch: avoid exploit via multi-newline file names in zgrep.in. - debian/patches/CVE-2022-1271-2.patch: add test in tests/Makefile.am, tests/zgrep-abuse. - debian/patches/CVE-2022-1271-3.patch: port to POSIX sed in zgrep.in. - debian/patches/CVE-2022-1271-4.patch: optimize out a grep in gzexe.in. - debian/patches/CVE-2022-1271-5.patch: use C locale more often in gzexe.in, sample/zfile, zdiff.in, zgrep.in, znew.in. - debian/patches/CVE-2022-1271-6.patch: fix "binary file matches" mislabeling in tests/Makefile.am, tests/zgrep-binary, zgrep.in. - debian/rules: fix permissions on new test scripts. - CVE-2022-1271 ==== landscape-client: 19.12-0ubuntu10 => 19.12-0ubuntu10.1 ==== ==== landscape-common * d/p/0006-lp1903776-release-upgrade.patch (LP: #1903776) - Use /etc/apt/trusted.gpg.d for validating upgrade-tool signature. ==== libarchive: 3.4.3-2ubuntu0.1 => 3.4.3-2ubuntu0.2 ==== ==== libarchive13:amd64 * SECURITY UPDATE: Out-of-bounds read - debian/patches/CVE-2022-26280.patch: fix possible out-of-bounds read in zipx_lzma_alone_init() in libarchive/archive_read_support_format_zip.c. - CVE-2022-26280 ==== libjcat: 0.1.3-2build1 => 0.1.4-0ubuntu0.21.10.1 ==== ==== libjcat1:amd64 * Don't fail verification if compiled without an engine (LP: #1961864) * Remove unused {shlibs:Depends} * New upstream version. - Fixes CVE-2020-10759 [ Simon McVittie ] * Fix FTBFS: - Add missing B-D on help2man (Closes: #955258) - jcat-self-test: Sign /etc/os-release instead of /etc/machine-id. The autobuilders use a minimal chroot that doesn't necessarily have a machine ID, but base-files gives us /etc/os-release. (Closes: #955234) * Fix -dev package dependencies: - libjcat-dev: Add missing -dev dependencies for dependency libraries - libjcat-dev: Add missing dependency on a matching libjcat1 - d/control: Enable gir debhelper sequence. Otherwise ${gir:Depends} won't be generated. * Install test data so that the installed-tests can pass * Add some simple autopkgtest coverage (Closes: #955259) [ Mario Limonciello ] * Backport a few other patches from upstream related to installed-tests usage. * Initial release (Closes: #953565) ==== libsepol: 3.1-1ubuntu2 => 3.1-1ubuntu2.1 ==== ==== libsepol1:amd64 * SECURITY UPDATE: use-after-free in __cil_verify_classperms - debian/patches/CVE-2021-36084.patch: alter destruction of classperms list when resetting classpermission by avoiding deleting the inner data in cil/src/cil_reset_ast.c - CVE-2021-36084 * SECURITY UPDATE: use-after-free in __cil_verify_classperms - debian/patches/CVE-2021-36085.patch: alter destruction of classperms when resetting a perm by avoiding deleting the inner data in cil/src/cil_reset_ast.c - CVE-2021-36085 * SECURITY UPDATE: use-after-free in cil_reset_classpermission - debian/patches/CVE-2021-36086.patch: prevent cil_reset_classperms_set from resetting classpermission by setting it to NULL in cil/src/cil_reset_ast.c - CVE-2021-36086 * SECURITY UPDATE: heap-based buffer over-read in ebitmap_match_any - debian/patches/CVE-2021-36087.patch: check if a tunable declaration, in-statement, block, blockabstract, or macro definition is found within an optional in cil/src/cil_build_ast.c and cil/src/cil_resolve_ast.c - CVE-2021-36087 ==== libxml2: 2.9.12+dfsg-4 => 2.9.12+dfsg-4ubuntu0.2 ==== ==== libxml2:amd64 * SECURITY UPDATE: Integer overflows - debian/patches/CVE-2022-29824.patch: Fix integer overflows in xmlBuf and xmlBuffer in tree.c, buf.c. - CVE-2022-29824 * SECURITY UPDATE: use-after-free of ID and IDREF attributes - debian/patches/CVE-2022-23308.patch: normalize ID attributes in valid.c. - CVE-2022-23308 ==== linux-meta: 5.13.0.35.44 => 5.13.0.44.53 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.13.0-44 * Bump ABI 5.13.0-43 * Bump ABI 5.13.0-42 * Bump ABI 5.13.0-41 * Bump ABI 5.13.0-40 * Bump ABI 5.13.0-39 * Bump ABI 5.13.0-38 * Bump ABI 5.13.0-37 * Bump ABI 5.13.0-36 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.13.0-35.40 => 5.13.0-44.49 ==== ==== linux-image-5.13.0-44-generic * Master version: 5.13.0-44.49 * Master version: 5.13.0-43.48 * Master version: 5.13.0-42.47 * Master version: 5.13.0-41.46 * Master version: 5.13.0-40.45 * Master version: 5.13.0-39.44 * Master version: 5.13.0-38.43 * Master version: 5.13.0-37.42 * Master version: 5.13.0-36.41 ==== logrotate: 3.18.0-2ubuntu1 => 3.18.0-2ubuntu1.1 ==== ==== logrotate * SECURITY UPDATE: DoS via insecure permissions on state file - debian/patches/ubuntu/CVE-2022-1348-1.patch: skip locking if state file is world-readable in logrotate.c, logrotate.spec.in, test/Makefile.am, test/test-0087.sh, test/test-0092.sh, test/test-config.92.in. - debian/patches/ubuntu/CVE-2022-1348-2.patch: drop permissions on state file when ACLs are enabled in logrotate.c, test/test-0048.sh. - CVE-2022-1348 ==== needrestart: 3.5-4ubuntu2 => 3.5-4ubuntu2.1 ==== ==== needrestart * SECURITY UPDATE: arbitrary code exec via unanchored regexes - debian/patches/CVE-2022-30688.patch: improve regexes in perl/lib/NeedRestart/Interp/Perl.pm, perl/lib/NeedRestart/Interp/Python.pm, perl/lib/NeedRestart/Interp/Ruby.pm. - CVE-2022-30688 ==== netplan.io: 0.103-0ubuntu7.2 => 0.104-0ubuntu2~21.10.1 ==== ==== libnetplan0:amd64 netplan.io * Backport netplan.io 0.104-0ubuntu2 to 20.04 (LP: #1964481) - Enable 'embedded-switch-mode' setting on SmartNICs - Permit multiple patterns for the driver globs in match - Improve routing capabilities - Support additional link offload options for networkd - Handle differing 'ip6-privacy' default value for NetworkManager - YAML state tracking for DBus API and 'netplan try' - Support ConfigureWithoutCarrier ('ignore-carrier') for networkd - Cleanup Makefile, install only public headers - Netplan 'get' to use the libnetplan parser - libnetplan: + introduce the notion of NetplanState + use an explicit parser context + expose coherent generator APIs + improve overall error handling + consolidation of YAML parsing into the library ATTENTION: - Restrict the symbol export to a determined public API + We dropped some internal symbols from the API that we know have no external consumers, see upstream changelog for list of dropped symbols * Update debian/gbp.conf * Use Standards-Version 4.5.1 in debian/control * Add d/p/multi-driver-match-compat.patch for match.driver backwards compat ==== networkd-dispatcher: 2.1-2 => 2.1-2ubuntu0.21.10.2 ==== ==== networkd-dispatcher * SECURITY REGRESSION: Incomplete security fix (LP: #1971550) - debian/patches/CVE-2022-29799-regression.patch: Add initialized state in ADMIN_STATES in networkd-dispatcher. * SECURITY UPDATE: Directory traversal - debian/patches/CVE-2022-29799-pre.patch: Add a word that is missing in exception messages in networkd-dispatcher and tests/test_networkd-dispatcher.py. - debian/patches/CVE-2022-29799.patch: Add allowed admin and operational states in networkd-dispatcher and throw exceptions in handle_state function if the current state is not one of those and add a test case test_handle_state in tests/test_networkd-dispatcher.py. - CVE-2022-29799 * SECURITY UPDATE: Time-of-check-time-of-use race condition - debian/patches/CVE-2022-29800-1.patch: Add check_perms function that will be invoked in scripts_in_path function before appending a file path to the script_list in networkd-dispatcher and change test_scripts_in_path test case in tests/test_networkd-dispatcher.py with follow_symlinks set to false. - debian/patches/CVE-2022-29800-2.patch: Passes os.path.dirname(path) when checking for permissions in scripts_in_path function in networkd-dispatcher. - CVE-2022-29800 ==== openldap: 2.5.6+dfsg-1~exp1ubuntu1 => 2.5.6+dfsg-1~exp1ubuntu1.1 ==== ==== libldap-2.5-0:amd64 libldap-common * SECURITY UPDATE: SQL injection in experimental back-sql backend - debian/patches/CVE-2022-29155.patch: escape filter values in servers/slapd/back-sql/search.c. - CVE-2022-29155 ==== openssl: 1.1.1l-1ubuntu1.1 => 1.1.1l-1ubuntu1.3 ==== ==== libssl1.1:amd64 openssl * SECURITY UPDATE: c_rehash script allows command injection - debian/patches/CVE-2022-1292.patch: do not use shell to invoke openssl in tools/c_rehash.in. - CVE-2022-1292 * SECURITY UPDATE: Infinite loop in BN_mod_sqrt() - debian/patches/CVE-2022-0778-1.patch: fix infinite loop in crypto/bn/bn_sqrt.c. - debian/patches/CVE-2022-0778-2.patch: add documentation of BN_mod_sqrt() in doc/man3/BN_add.pod. - debian/patches/CVE-2022-0778-3.patch: add a negative testcase for BN_mod_sqrt in test/bntest.c, test/recipes/10-test_bn_data/bnmod.txt. - CVE-2022-0778 ==== pcre3: 2:8.39-13build3 => 2:8.39-13ubuntu0.21.10.1 ==== ==== libpcre3:amd64 * SECURITY UPDATE: buffer over-read in JIT - debian/patches/CVE-2019-20838.patch: check if type is not extended Unicode parameter or Unicode new line in pcre_jit_compile.c. - CVE-2019-20838 ==== rsyslog: 8.2102.0-2ubuntu2 => 8.2102.0-2ubuntu2.2 ==== ==== rsyslog * SECURITY UPDATE: Heap buffer overflow - debian/patches/CVE-2022-24903.patch: fix a potential heap buffer overflow adding boundary checks in contrib/imhttp/imhttp.c, plugins/imptcp/imptcp.c, runtime/tcps_sess.c. - CVE-2022-24903 ==== snapd: 2.54.3+21.10.1ubuntu0.2 => 2.54.3+21.10.1ubuntu0.3 ==== ==== snapd * Cherry-pick https://github.com/snapcore/snapd/pull/11680 and https://github.com/snapcore/snapd/pull/11287: - This fixes a bad interaction between snapd and update-notifier during a release upgrade (LP: #1969162) ==== sosreport: 4.2-1ubuntu0.21.10.1 => 4.3-1ubuntu0.21.10.1 ==== ==== sosreport * New 4.3 upstream. (LP: #1960996) * For more details, full release note is available here: - https://github.com/sosreport/sos/releases/tag/4.3 * New patches: - d/p/0002-fix-setup-py.patch: Add python sos.help module, it was missed in upstream release. - d/p/0003-mention-sos-help-in-sos-manpage.patch: Fix sos-help manpage. * Former patches, now fixed: - d/p/0002-report-implement_estimate-only.patch - d/p/0003-ceph-add-support-for-containerized-ceph-setup.patch - d/p/0004-ceph-split-plugin-by-components.patch - d/p/0005-openvswitch-get-userspace-datapath-implementations.patch - d/p/0006-report-check-for-symlink-before-rmtree.patch * Remaining patches: - d/p/0001-debian-change-tmp-dir-location.patch ==== sqlite3: 3.35.5-1 => 3.35.5-1ubuntu0.1 ==== ==== libsqlite3-0:amd64 * SECURITY UPDATE: segmentation fault in idxGetTableInfo - debian/patches/CVE-2021-36690.patch: perform validation over the column to ensure it has collating sequence in ext/expert/sqlite3expert.c - CVE-2021-36690 ==== systemd: 248.3-1ubuntu8.2 => 248.3-1ubuntu8.6 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev [ Andy Chi ] * Add mic mute key support for HP Elite x360 series (LP: #1967038) Author: Andy Chi File: debian/patches/hwdb-Add-mic-mute-key-mapping-for-HP-Elite-x360.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=04be3b1aabca6af865e6bfb2e4c7e7684b624ad9 [ Jeremy Szu ] * Add more hp dmi to unblock intel-hid event (LP: #1966179) Also, add HP EliteBook 630/830 13 inch dmi string to intel-hid allowlist Author: Jeremy Szu File: debian/patches/lp1966179-add-more-hp-dmi-to-unblock-intel-hid-event.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2ca44e12f37ecb44b96701c54a784924a62dcfc0 * debian/tests/boot-and-services: Ignore failed snap mount units in test_no_failed (LP: #1967576) [ Lukas Mrdian ] * Fix deadlock between pid1 and dbus-daemon (LP: #1871538) Author: Lukas Mrdian File: debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f79535077473902bad911dc2652a2fff4066fa30 * Don't override Ubuntu's default sysctl values (LP: #1962038) Author: Lukas Mrdian File: debian/patches/debian/UBUNTU-Don-t-override-Ubuntu-s-default-sysctl-values-LP-1962038.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3ba2764d8f77e616461c9722923f685fad79f8c6 [ Jeremy Szu ] * Add a allowlist to unblock intel-hid on new HP machines (LP: #1955997) Author: Jeremy Szu File: debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=554d46e6a6ab80befd424ead7ffa8e6f993b5f66 ==== twisted: 20.3.0-7ubuntu1 => 20.3.0-7ubuntu1.1 ==== ==== python3-twisted python3-twisted-bin:amd64 * SECURITY UPDATE: Information disclosure results in leaking of HTTP cookie and authorization headers when following cross origin redirects - debian/patches/CVE-2022-21712-*.patch: Ensure sensitive HTTP headers are removed when forming requests, in src/twisted/web/client.py, src/twisted/web/test/test_agent.py and src/twisted/web/iweb.py. - CVE-2022-21712 * SECURITY UPDATE: Parsing of SSH version identifier field during an SSH handshake can result in a denial of service when excessively large packets are received - debian/patches/CVE-2022-21716-*.patch: Ensure that length of received handshake buffer is checked, prior to processing version string in src/twisted/conch/ssh/transport.py and src/twisted/conch/test/test_transport.py - CVE-2022-21716 ==== tzdata: 2021e-0ubuntu0.21.10 => 2022a-0ubuntu0.21.10 ==== ==== tzdata * New upstream release (LP: #1965791): - Palestine will spring forward on 2022-03-27 (not 2022-03-26). ==== ubuntu-advantage-tools: 27.6~21.10.1 => 27.8~21.10.1 ==== ==== ubuntu-advantage-tools * Backport new upstream release: (LP: #1969125) to impish * New upstream release 27.8 (LP: #1969125) - entitlements: apply overrides from the contract response - fips: + unhold fips packages when enabling fips-updates + Automatically disable fips service before enabling fips-updates + unhold more packages when enabling fips - lib: fix upgrade script for unsupported releases (LP: #1968067) - realtime: add support for realtime kernel beta service on Jammy * fips: - make fips service incompatible with fips-updates - unhold more packages when enabling fips * d/changelog: - fix changelog trailer line for 27.4.1 * d/logrotate: - make new logs world readable * d/tools.postinst: - refactor to catch exception from entitlement_factory - no longer always set log file to only root readable - when creating log file for the first time, make world readable - adapt postinst for new messages module * New upstream release 27.7 (LP: #1964028) - attach: --attach-config option for customizing auto-enabled services and supplying token via a file - auto-attach: fix bug where auto-attach caused a manually attached machine to detach - cli: + support --format=json for attach + support --format=json for detach + support --format=json for enable + support --format=json for disable - contract: include activity info when updating contract - detach: no longer contacts contract server on detach - fips: allow fips on containers - fix: support USNs that don't have related CVEs - logs: make all newly created logs world-readable - security-status: + show already installed esm package counts + include APT origin for each potential update + bump schema version to "0.1" + remove previously required --beta flag - status: + include blocked_by information in service status when format=json + --simulate-with-token now reports expired tokens as errors + --simulate-with-token now returns errors in the specified format * New upstream release 27.6 (LP: #1958556) - cli: only request available resources from contract server when needed - fips: + allow enabling FIPS on focal clouds + update prompt messages - jobs: disable license-check job on GCP after attach - message: fix how apt and motd messages are updated after ua commands * d/control: - Update homepage URL * d/tools.postinst: - Refactor to use valid_services * d/tools.postrm: - Use a wildcard to remove ua related gpg files * New upstream release 27.5 (LP: #1956456) - aws: add support for the IPv6 metadata endpoint - cis: update URL for the documentation - cli: + add endpoint to simulate the status using a specific contract token + fix return code when attaching an already attached machine (GH: #1867) + fix security-status to consider all possible origins to show updates + include cloud build.info in the collect-logs tarball + only show services which exist in the contracts server in ua status - docs: fix typos and wrong/outdated information - livepatch: always use the full path in livepatch calls (LP: #1951954) - logs: + improve rules to redact sensitive information from all log files + redact sensitive information from older unredacted log files + log errors from external software execution, for debugging purposes - usg: + support the presentedAs affordance from the contract server, showing services in the CLI with the appropriate names + replace the CIS entitlement by USG on Focal and onwards * d/tools.postinst: - Fix check_service_is_enabled function when the machine is unattached (LP: #1951705) * jobs: do not run the status job for unattached users * d/rules: - Remove conftest file from the package * d/tools.postinst: - hardcode python binary to run python scripts (LP: #1930121) - undo unnecessary log file creation * d/tools.prerm: - hardcode python binary to run python scripts (LP: #1930121) * New upstream release 27.4 (LP: #1949634) - cc-eal: remove beta flag - cli: + attach will save machine-id during operation + detach won't ask unnecessary questions + new security-status subcommand lists potentially available security and ESM updates (beta) - fix: + exit 0 when fix is successfully applied and completed + exit 1 when fix cannot be applied + exit 2 when fix requires a reboot to complete + check reboot-required.pkgs for better reboot suggestions - livepatch: allow livepatch and fips-updates at the same time - metering: + update how activity info is parsed + update contract response structure + enable job by default - proxy: no_proxy defaults for link-local IMDS routes - util: + cache get_platform_info calls + fix machine-id fallback path on get_machine_id * d/tools.postinst: - consider cloud to be "none" on any cloud-id error - purge old ua-messaging.timer/service files - keep ua-timer.timer disabled if ua-messaging.timer was disabled by the user - properly configure both ubuntu-advantage-timer and ubuntu-advantage-licence-check logs * d/tools.postrm: - remove ubuntu-advantage-timer and ubuntu-advantage-license-check logs during purge * systemd: - remove ua-messaging.timer/service - add new ua-timer.timer that runs every 6 hours - add new ua-license_check.timer that runs every 5 minutes only if activated by ua-license-check.path * New upstream release 27.3 (LP: #1942929) - ros: + add beta support to enable ros and ros-updates + add support for "required services" so that esm-infra and esm-apps get auto-enabled when enabling ros or ros-updates + add support for "dependent services" so that user gets prompted to disable ros/ros-updates if they disable esm-infra/esm-apps - fips: + allow fips on GCP bionic now that optimized kernel is ready + disallow enabling fips on focal on clouds until cloud-optimized focal fips-certified kernel is ready (LP: #1939449, LP: #1939932) + print warning about generic fips kernel if cloud-id fails - cloud: + rely only on cloud-id to determine cloud type (LP: #1940131) + catch errors when determining cloud type (LP: #1938207, LP: #1944676) (GH: #1541) - azure: + bump IMDS API version to support Azure published images - cli: + collect-logs command that creates a tar file with debug-relevant logs and status info (GH: #463) + clean locks on exceptions more thoroughly to avoid false "Operation in progress" status messages + retain past service state after detach + shows better error message when a port value in a proxy is invalid - non-unicode locale support: + remove unicode-only characters from help file + don't print unicode-only characters in ua fix if non-utf8 locale (GH: #1463) - logrotate: + add logrotate functionality for ubuntu-advantage-timer.log. + Fix root:root logrotate permissions. - ua-timer.timer: + introduce a single systemd timer to handle ua recurring jobs + timer runs every 2 hours to support most frequent timer job + recurring job intervals are configurable in uaclient.conf + individual jobs are disabled if their interval is set to 0 - status job: + update ua status every 12 hours - messaging job: + update APT/MOTD ESM messaging every 6 hours - metering job: + disabled until infrastructure is ready + for attached machines only, periodically update contract server with status information for proper contract metering - ua-license-check.timer: + only runs on LTS GCP instances that are not attached + runs every 5 minutes to check if gcp instance has license required to auto-attach - logs: + fixes duplicate logging (GH: #553) - tests and support: + remove groovy integration tests + various improvements to integration tests * d/tools.postinst: - Do not fail in postinst if cloud-init did not run. This fixes the regression introduced in 27.2.1. (LP: #1936833) * d/control: - remove unnecessary distro-info dependency from build-depends * d/rules: - pick right version of distro-info based on release * docs: + add information about proxy auth to manpage and readme * lib: + handle missing configStatus key in patch status json script * d/control: - add comments to explain complex build-depends - add version requirement to distro-info (LP: #1932028) * d/tools.postinst: - run status.json schema patch script to avoid non-root status errors * New upstream release 27.2: - attach: print contract server reason for 403 (GH: #1630) - cli: add ua config set, unset and show subcommands - config: + add default ua_config setting values + only allow some fields to be set by envvar + use defaults for contract and security url - docs: + add proxy config options to man page + add instructions to generate MOTD messages + add support matrix info + remove broken api link - enable: allow downgrading packages during enable (GH: #1659) - fips: + add focal test for fips-updates + alert if wrong fips package installed on gov clouds + install correct fips package on gov clouds + only install conditional_packages if necessary and available - logs: log env vars that affect config on cli runs - proxy: + add config options to set proxies + print message when setting proxy + support configuring apt proxies + support configuring snap and livepatch proxies + support setting proxy for web requests + validate urls before setting as proxies - refresh: support refreshing config and contract separately - status + add config info to json output + add env vars to json output + do not show unavailable services in json output + support yaml format with same content as json format + update account info in json output + update contract info in json output + update root level keys of json output - refactor: + remove side effects from can_enable (GH: #1654, #1571) + use DatetimeAwareJSONDecoder to parse date strings - tests: + add additional enable test for incompatible services + add flag to enable proposed pocket + add test to check and print version being tested + drop trusty specific tests * Cherrypick upstream pr #1681 to unbreak many migrations. LP: #1930741 * d/control: - specify debianutils min version * d/changelog: - fix lintian typos amend and redact incorrect 27.0 entry (GH: #1624) * lintian: - override ubuntu-advantage-pro wanted-by-target cloud-init - override xenial specific errors - rename package-specific overrides for pro vs tools * New upstream release 27.1: - apt-hook: + avoid segfault when comparing null Apt file origin to esm (LP: #1929123) + avoid wrapping static message formats at 80 chars + update go build flags based on lintian warnings (GH: #1626) + only add newlines for MOTD if message file length is non-zero - attach: do not print contract name if empty - autocomplete: Do not show beta services in autocomplete (GH: #1594) - cis: + make service non-beta + post enable message pointing to docs + update cis help url - docs: update releases.md per SRU review feedback on branch structuring - enable: correct messaging for beta service (GH: #1588) - errors: print a more helpful message when ssl fails (GH: #1618) - fips: + Block enabling fips if fips-updates once enabled (GH: #1600) + Update output of fips commands (GH: #1631) - livepatch: alert when snapd does not have wait cmd (LP: #1927329) - logging: remove tracebacks for UserFacingErrors (GH: #1586) - messaging: + Infra and Apps messaging is mutually exclusive (GH: #1573) + point to u.com/16-04 instead of u.com/advantage on ESM (GH: #1584) + separate _remove_msg_template. emit no warranty on infra disabled - pro: obtain AWS IMDSv2 API token before trying to grab pkcs7 doc (GH: #1608) - status: do not show info if not on contract (GH: #1592) - tests: + drop trusty specific tests + fix mock for handle_message_operations + fix motd message for bionic (GH: #1615) + integration tests for hirsute and groovy + manual test for trusty upgrade to xenial + reboot after dist-upgrade for upgrade test + test enabling CIS on focal (GH: #1582) + update messages in integration tests (GH: #1635) + use proposed pocket on xenial upgrade test - jenkins: + add pytest runs for xenial and bionic + run focal lxd integration tests * d/control: - order build-depends alternatives newer first (LP: #1926949) - apt-hook: do not attempt to package go APT JSON hook on some architectures (GH: #1603) (LP: #1927886, LP: #1927795) * Bug-fix release 27.0.2: build failures on riscv64 and powerpc - apt-hook: refactor json hook messaging to be dry - tests: fix subp ls error case for powerpc builds - jenkinsfile: add --resolve-alternatives for trusty builds - amend changelog: add omitted apt-hook message for 27.0.1 stanza * Add .gitignore and cleanup ignored directory .pytest_cache * apt-hook: mitigate failures with true * New upstream release 27.0: - [redacted: actually landed in 27.0.1] apt-hook: mitigate failures with true - messages: add optional (s) to apt messaging to include singular/plural pkgs - apt-hook: avoid reporting and counting duplicate package names (GH: #1578) - fix: don't say reboot required when unnecessary (LP: #1926183) - test: uncomment additional xenial upgrade tests * New upstream beta3 release: - config: avoid tracebacks on invalid features value in uaclient.conf (GH: #1564) - apt-hook: new json hook for security update counts - Remove redundant messaging from uaclient * d/control: - add distro-info dependency - add new debianutils dependency - add optional dh-systemd | debhelper (>= 13.3) to fallback on hirsute and later when dh-systemd is not present * d/rules: enable and start ua-messaging.timer on package install * d/postinst: - configure esm on any LTS release avoid beta services - configure esm-infra when is_active_esm and apps on LTS - xenial enable unauthenticated apt source for apps/infra * New upstream release 27.0~beta: - apt-hook: + adapt hook to process separate message templates + esm-apps and esm-infra pkg counts not mutually-exclusive + print static messages on apt upgrade/dist-upgrade (GH: #1546) - config: create settings_overrides on config (GH: #1507) - docs: add entry for uploading new version to ppa - esm: + add pin never when disabling esm-infra/apps on xenial + enable infra when EOL LTS and apps on all LTS (GH: #1558) - fips: add notice when installing over old fips - fix: + add links to ubuntu.com/gcp/aws in messaging when on non-PRO + add notice to reboot operation on ua fix + do not prompt user for beta services (GH: #1544) + notify users if reboot is required (GH: #1476) + update how the expired token logic works + wrap output greater than 80 chars (GH: #1487) - lib: fix notice handling on reboot script - messages + provide static message files for use in APT and MOTD + update_ua_messages on attach/detach/disable - mypy: add lib/ dir for coverage - status: do not remove notices on non-root call (GH: #1518) - subp: separate % format strings when logging (GH: #1520) - systemd: add ua-messaging.timer to update ua MOTD and APT msgs - update-motd.d: add conditional hooks for motd to source ua messages - util: add is_lts and is_active_esm funtions to support ESM - test + add integration tests asserting esm-apps setup due to postinst + manual test script for xenial upgrade + trusty and xenial infra and apps disabled in pkg install - behave: use unaltered cloud images unsetting UACLIENT_BEHAVE_PPA - jenkins: make lint and style stage run sequentially * d/*: prefix all the debhelper conf files with the package name * d/control: - add Rules-Requires-Root: no - bump Standards-Version to 4.5.1 - make ubuntu-advantage-pro Architecture: all * d/lintian-overrides: - override maintainer-script-calls-service - package-supports-alternative-init-but-no-init.d-script * d/postinst: move the u-a-pro note to a config script * d/ubuntu-advantage-tools.templates: suggest the use of apt * New upstream release 27.0~beta: - apt: add retry for apt-helper command (GH: #1431) - cli: drop subcommand repeated help output, fix enable & refresh (GH: #1440) - config: + allow parsing yaml delivered from env values + environment variable support for feature overrides (GH: #1395) + create config to add extra params to security url - docs: + add ppas and fix typos + use Ubuntu Pro not Ubuntu PRO + add stop "." punctuation to messages (GH: #1320) - fips: fix FIPS message when disable operation fails - fix: + add basic UASecurityClient to which queries CVE and USNs + add security_url to config + check if service is enabled during ua fix (GH: #1462) + closer representation of cve and usn responses + filter usns by cve details (GH: #1470) + fix regex to be more permissive and strict + get_cve_affected_source_packages_status won't list not-affected (GH: #1467) + handle other package status when running ua fix (GH: #1435) + improve error message for ua fix (GH: #1420) + install pkg fixes when they are on standard pocket (GH: #1401) + move timeout and retries to security client only + only prompt for subscription attach for UA-related pkg updates + parse all related USNS to a given CVE when fixing + parse full API responses for related CVEs and USNs + prefer USN.release_packages binary pkg versions to CVE src ver (GH: #1436) + prompt for new ua token when expired one is used (GH: #1475) + prompt to emit pro suggestion on pro_clouds if unattached (GH: #1386) + prompt to enable service during ua fix (GH: #1455) + provide related CVE URLs instead of USNs (GH: #1456) + raise errors when source_link is null or unexpected format + show packages that were not fixed in the output + update output for released packages in ua fix (GH: #1438) + update message for invalid issue in ua fix (GH: #1433) + use pocket values from USNs (GH: #1439) - logs: emit error response on API errors and redact sensitive logs (GH: #1424) - serviceclient: add 10 second timeout and two retries to API calls (GH: #1374) - util: + add error prompts on invalid selection + add timeout to readurl - tests: + Add disable_auto_attach config to all test PRO vms + add merge_usn_released_binary_package_versions tests + add unittest coverage for override_usn_release_package_status + drop traceback checks on fips integration tests + refactor integration tests for ua fix cmd + run status wait before detach in PRO tests + use ssh to run commands on lxd containers - jenkins: archiveArtifacts can only reference paths within workspace * d/control: add new debianutils dependency * New upstream release 26.3 - util: improve is_container check for chroot - cli: pass assume_yes param to services on detach (GH: #1530) * Drop dh-systemd build dependency. * status: show beta services in status if enabled (GH: #1410) * New upstream release 26.1 - contract: block detach call to contract if machine-id change - docs: add readme docs about mastering clean golden images - fips: add reboot notices for fips operations (GH: #1368) - livepatch: add retry when running canonical-livepatch status (GH: #1360) - util: use lru_cache to avoid re-reading os-release and machine-id (GH: #1329) - tests: + add disable_auto_attach config to all test PRO vms + add more log artifacts during failed integration test + check cloudinit status after launching image + mock leaking livepatch.application_status for fips test + retry package installs on apt exit 100 - jenkins: parameterize build stages to avoid parallel job collision * auto-attach: fix comparing numeric iid * New upstream release 26.0: - auto-attach: systemd unit to run before ua-reboot-cmds.service - config: remove_notice should remove notices.json when empty - fips: + add notice if running a deactivated FIPS kernel (GH: #1348) + block enabling FIPS on clouds using Xenial + block enabling fips on GCP instances + check /proc/sys/crypto/fips_enable to see if fips is enabled + override fips metapackage when on bionic cloud + update metapackage override logic on fips - notices: clear lock file and notice when encountering any exception (GH: #1326) - reboot_cmds: retry on lock held errors due to pro auto-attach - services: allow uaclient to disable services during enable - status: include beta services in json formatted output with --all (GH: #1341) - tests: + add FIPS tests to AWS and Azure bionic images + add GCP pro test for focal machine + add after_step collection of artifacts on failure + remove proc file check after disabling fips + pro: block auto-attach with cloud-config bootcmd + add validation of systemd unit ua-reboot-cmds.service + test enabling fips-updates when fips is enabled - jenkins: - add deb build stage to assert package builds - use series-specific sbuild --build-dir avoid races - use --append-to-version for each sbuild run to avoid races - presume success when no integration artifacts created * d/rules: - add --with systemd to allow reboot init script - do not remove lib/systemd/system folder * d/postinst: - create marker file when reboot script need to run: - enable livepatch across trusty to xenial upgrade - update fips on existing fips pro machines * New upstream release 26.0~beta: - gcp: add Google Cloud Platform support (GH #1269) - fips: + remove is_beta from fips sevices + fips pro: add upgrade support to require reboot to unmark held fips pkgs + update origin UbuntuFIPSUpdates - status: + add notice to tabular output + held locks emit notice about Operation in progress - cli: help sort output so trusty ordering matches xenial++ - cis: rename service from cis-audit - config: provide config notices and add_notice and remove_notice methods - contract: add resource-machine-access route and datapath - init: add init script to run commands on reboot - keys: add ubuntu-advantage-cis keyring - livepatch: make livepatch react to enableByDefault delta - log: log when we install pkgs because of contract delta - make: drop six testdeps target - pro: do not install pro debs on non-pro instances - services: Update beta info for services (GH #1220) - tools: add tox-lxd-runner, that execute the test command in a shell - tools: refresh-keyrings handles cis keys. drop series-specific keys - tests: + add GCE support for integration tests + add cis integration tests for unattached and pro + add pytest constraint for mypy tests + add unittests for reboot_cmds script + fix esm package messages for new update notifier version + pin importlib-metadata for mypy tests + repo tests for request_resource_machine_access + unit tests for config cache clearing and machine-access data - jenkins: + add basic Jenkinsfile for CI runs per PR + add jenkins parseable test results + add lxc cleanup stage on Jenkinsfile * Release version 25.0 * New upstream release 25.0~beta3: - upgrade-lts-conract: noop during do-release-upgrade on unattached (GH: #1255) - ua-auto-attach: order systemd unit before cloud-config.service - Update FIPSUpdates pin origin - fips: unmark held fips packages for ubuntu pro fips image support (GH: #1109) - repo: handle changes to additionalPackages contract deltas - repo: move package installation to install_packages method - pro: trigger auto-attach as soon as instance-data.json is available (GH: #1234) - Conditionally install packages when enabling FIPS - fips: allow disable (GH: #1168) - cli: add trailing newline to argparse errors (GH: #1236) - Install fips metapacking when enabling service - integration test improvements: + upgrade-test: fix upgrade path restart failures on trusty (GH: #1257) + Fix integration test setup scripts (GH: #1253) + strict checking for command success on behave + Update tests to use new pycloudlib LXD abstraction + Add upgrade scenario tests when FIPS is enabled + Improve FIPS tests for checking packages + Update esm-infra xenial lxd test + Fix vm tests as esm-apps is beta service + Fix azure generic integration testing + Update esm-apps check on staging_commands tests + Install pycloudlib for azure jobs only + Fix shell condition in run_azure_travis_integration_tests.sh + Update azure jobs on travis + Update travis url in README + Update travis scripts to use ppa only on master + Fix cron event type check on travis yaml * New upstream release 25.0~beta2: - help: update esm-infra help text (GH: #1212) - apt-hook: update apt cli messaging for UA Infra: ESM and UA Apps: ESM product names - help: update fips help docs (GH: #1213) - help: revert CIS help doc URL (GH: #1211) - help: add new fips help URLs to CLI help docs (GH: #1210) - Show error when enabling service with invalid repo [Lucas Moura] (GH: #954) - Update beta info for services (#1220) [Lucas Moura] (GH: #1216) - Do not enable fips when fips-updates is active [Lucas Moura] (GH: #1209) - Add vm test commands in tox.ini (#1204) [Lucas Moura] * Beta bug fix release - status: fix missing description_override key after upgrade from trusty (GH: #1201) - During contract delta processing use _check_application_status_on_cache instead of live service status * d/control: - add po-debconf dependency and fix lintian not-using-po-debconf and untranslatable-debconf-templates - add ${misc:Depends} dep to ubuntu-advantage-pro to fix lintian debhelper-but-no-misc-depends (GH: #1024) * d/rules: - drop --with systemd fix build-depends-on-obsolete-package - set fix lintian warning extra:Depends even if empty * d/postrm - Add more gpg keys to be deleted in postrm for Xenial+ support * d/postinst: - do not unconfigure non-trusty esm. no series in apt filenames (GH: #1170) - check if esm is already enabled (GH: #1095) * New upstream release 25.0: - Do not uninstall additionalPackages or livepatch when disabling services - check for issubclass on clean_apt_files - Add do-release-upgrade support for esm-infra and apps suites (GH: #1169) - Apply contract deltas during do-release-upgrade operations - cli: add ua help command - cli: status add blocking --wait param and lock files for config change - Fix livepatch behaviour on aws pro focal machine - travis: drop inapplicable workspaces from specific awsgeneric release jobs - Add possible reboot text after enabling/disabling services - apt-hook: package apt-hook and apt configuration files on all releases (GH: #1150) - Fix enable fail bug - Add uaclient.conf override mechanism for auto-attach, beta services and machine-token - Support ESM Apps [Brian Murray] (GH: #930) - Do not enable services if blocking services is active (GH: #1029) - contract: handle 401 on invalid token, 403 on expired (GH: #1335) - Hide beta services from default status output and enable/disable operations (GH: #1079) (GH: #1091) - fips: force apt noninteractive prompts during package installs (GH: #1084) - tests: add unit tests for aws-gov/aws-china cloud detection - Add AWS China and GovCloud partitions [Robert Jennings] - Disable beta services to be show/enabled without flag - Add missing build_pr command to environment - Use additionalPackages from service payload - Add integration testing for Travis runs [patriciadomin] (GH: #856) (GH: #857) (GH: #853) * New bug-fix-only release 24.4: - uaclient.version bump to 24.4 - fips: honor additionalPackage directive from contract for bionic (GH #1173) * New bug-fix-only release 24.3: - uaclient.version bump to 24.3 - fips: add conditional reboot message only if /var/run/reboot-required is present - fips: add apt repo key for FIPS and FIPS updates (GH #1026) * New bug-fix-only release 24.2: - uaclient.version bump to 24.2 - pro: Add AWS China and GovCloud partitions support (GH #1077) * New bug-fix-only release 24.1: - livepatch: run snap wait system snap.seeded before trying to install (GH: #1049) - version: return debian/changelog version when git describe fails to match upstream . tags for git-ubuntu workflow (GH: #1058) * bump version to 24.0 for new versioninig scheme * New upstream release 20.3: - ubuntu-pro: automatically reattach across instance id delta (LP: #1867573) - integration testing: + add behave tests ua subcommands for attached vm + add invalid token tests + add reuse_container test docs + refactor token parameter * d/templates: add a debconf note on upgrade from pre-ubuntu pro package * d/control: create a separate ubuntu-advantage-pro package which delivers the tooling and scripts necessary to auto-attach pro machines This change breaks/replaces ubuntu-advantage-tools <= 20.1 * d/maintscript: rm_conffile /etc/init/ua-auto-attach.conf from ua-tools pkg * d/postint: remove stale systemd symlinks which have migrated to ubuntu-pro * d/rules: only install the apt hook on trusty * d/rules: provide --no-start to debhelper to avoid auto-attach on pkg install * Release 20.2: - ubuntu-pro: + azure: fix detection of DatasourceAzureNet as azure on trusty + generalize identity_doc to return dict instead of string + auto-attach: any 4XX errors during auto-attach are the result of non-Pro + auto-attach: handle 403 errors raised by contract server for invalid vms - attach: persist any status config changes after attach failures - output: add messaging using a different subscription if attached * Release 20.1: - azure-pro, support for azure ubuntu pro auto-attach: + add azure auto-attach instance as valid cloud_instance_factory + add azure cloud instance module and tests + generalize request_aws_contract_token for multiple cloud_types + contract: request_auto_attach_contract_token takes an instance param - constraints: add constraint on pyyaml version in trusty - auto-attach: move duplicate invalid cloud_type check out of cli * d/postinst: only configure ESM on supported architectures (LP: #1851858) [Andreas Hasenack] * d/postinst: rename existing ubuntu-esm-precise.list file to trusty. This fixes the upgrade path from precise to trusty and to this client while esm is enabled (LP: #1850672) * Release 19.7: - aws: handle missing SYS_HYPERVISOR_PRODUCT_UUID - aws-pro: support for aws ubuntu pro auto-attach - pro: add cloud identity module and fix unit tests - pro: update systemd service and upstart boot scripts to auto-attach - pro: esm do not do apt pin never on disable on xenial or bionic - pro: esm-apps has origin UbuntuESMApps and esm-infra is UbuntuESM - status: dynamic status available now from refreshed machine-token - uaclient: update customer visible messages after UX review - esm-apps: allow unattended security upgrades for esm-apps - systemd: needs WantedBy=multi-user.target to get pulled into boot - cli: update docstring to describe errors raised from auto-attach - keyrings: update ubuntu-advantage-esm-apps.gpg with correct key - repo: match strict repo url in apt-policy to avoid esm substring matches - esm: don't disable_apt_auth_only for ESM entitlements - initial implementation of esm-apps - repo: don't raise exception in application_status if aptURL missing - entitlements: rely solely on contract server for repo_url - cli: exit 0 if already attached - cli: use decorators for action_attach and action_attach_premium - cli: add assert_not_attached decorator - status: custom descriptions for n/a service status * New upstream release. Main changes: - drop SSO interactive login support - d/control: no longer depend on pymacaroons, which was only needed for the SSO interactive login support - drop keyrings for services not supported in trusty: cc-eal, fips, fips-updates, cis audit - make sure /var/lib/ubuntu-advantage/private has 0700 perms - rename esm to esm-infra. Also handle upgrades - don't unecessarily remove config files that are already handled by dpkg - expand the apt related runtime dependencies - handle sources.list.d esm snippet when release upgrading from precise - ua status now reports availability of services even in unattached state - the "ua status" output was changed, including the json format option - drop "ua status" call in postinst as it now requires internet access and that is restricted in LP builders and test runners. - fix the d/t/usage DEP8 test that was also using status * d/t/usage: fix dep8 test ("entitlements" was renamed to "services") * New upstream release (LP: #1832757): - packaging: + d/control: depend on libapt-pkg to use pin-priority never + d/postinst: adjust logfile permissions + d/postinst: remove public files and generate status cache on upgrade + d/postinst: Remove the old CACHE_DIR in postinst + d/postrm: remove log files on package purge + d/postrm: remove the ESM pinning file on purge + trusty should remove v1 esm key if present after upgrade + keyrings: regenerate keyrings on a trusty host + refresh keyrings to match current production for fips and cc-eal - apt: + all repo entitlements now call apt-get update on enable + enable -updates if -updates from the Ubuntu archive is enabled + Add basic i18n (good enough for lang packs) + retry apt install and update commands 3 times simple backoff + write commented -updates lines instead of omitting them - attach/detach: + added --no-auto-enable option + suppress messages from inapplicable default entitlements + two-factor auth reprompt only two-factor auth on failed 2fa + honour enableByDefault obligations from contract server + livepatch: no auto-enable on attach for trusty + don't attempt to disable inapplicable entitlements during detach + check for root before checking for attach in assert_attached_root - status: + add --json cli formatting option + emit a SERVICE header in status output + redact technical support and expiry for free contracts + unentitled services will report n/a - cc-eal: + add a warning about download size before install + change cc to cc-eal in docs, parameters and commandline help - esm: + add esm-v2 gpg keyring, drop old keyring, ignore aptKey directive + and livepatch auto enabled on attach where supported + on upgrade do not install preferences to pin never if esm enabled + remove only the apt auth entry on disable, leaving sources.list + use Pin-Priority never apt preference file to disable esm initially - fips: + display as pending when linux-fips is not the running kernel + only install/upgrade optional packages that are already on the system - logs: + no longer redact secrets as logfile is root read-only + separate console log devel from logfile level + remove level from messages to the console - add subcommand to refresh all contract details - config: allow contract_url and sso_auth_url to have a trailing slash - docker: fix persisting generated uuid on images without machine-id files - environ: allow lowercase ua_ overrides - repo: un-comment ESM sources.list lines on repo disable - updated manpage and help docs * apt-hook: Add missing headers for APT 1.9 * Drop the self-test assert in the apt-hook, it's making the subiquity server install fail (LP: #1824523) * apt-hook: Do not crash/fail if we can't read /proc/self/status (LP: #1824523) * Ubuntu Advantage Tools rewrite in Python (LP: #1814157): - Allow attaching a system to a contract or account - More complete status output, dropping MOTD updates - Easily enable and disable services offered * Have ua status cope with the additional livepatch of running a kernel that is not supported for livepatches. * Have an option for enable-livepatch to install a compatible kernel if needed. [ Vineetha Kamath ] * Add support to common criteria EAL2 artifacts installation #144 * New upstream release - added enable-fips-updates command. This command enables the fips-updates repository to install updates to FIPS modules. The updated modules from fips-updates repository are non-certified. * d/t/update-motd-run: fix path to the esm motd (LP: #1757490) * Rename motd scripts so they are shown a bit earlier (LP: #1757171) * Move empty line placement in the livepatch motd to the beginning of the message to avoid double blank lines. * New upstream release: - repositories are only added after credentials are verified (LP: #1730361) - Livepatch MOTD script (LP: #1710976) - better "status" command output formatting (LP: #1719034) - sources.list.d files no longer contain credentials. The "auth.conf" facility is used instead. (LP: #1700611) - enabled Livepatch support for Bionic 18.04 LTS * New upstream release: - run tests during package build * New upstream release: - revert the latest name changes - instead of "advantage", add a "ua" symlink pointing at the ubuntu-advantage script. Likewise for its manpage. (LP: #1721272) * New upstream release: - rename the ubuntu-advantage script to advantage, including where it's mentioned in the documentation. Also provide symlinks pointing at the previous name. (LP: #1721272) - slightly reword some of the FIPS messages * New upstream release with FIPS support (LP: #1718291) * New upstream release: - call apt-get with the non-interactive frontend variable set, and tell dpkg to keep the old config file by default should there be any prompts about that. (LP: #1715012) - split the one big test file into multiple smaller files, for better maintainability. * Release to artful (LP: #1711369) * d/control: update package description * New release version 6. Main changes: - document return codes on the manpage (Fixes: #33) - new status command (Fixes: #40) - restrict esm to precise only (Fixes: #43) - drop the livepatch motd update, only esm has motd output now (Fixes: #44) - skip tests during package building (Fixes #49) * Only display apt output in the case of errors (Fixes #34). * Check running kernel version before enabling the Livepatch service (Fixes #30). * Add livepatch support: - New commands: + enable-livepatch + disable-livepatch + is-livepatch-enabled - new tests - new manpage - new help output - new README.md - new MOTD * ubuntu-advantage & /etc/update-motd.d/99-esm now build, run and are quiet on non-precise release. (LP: #1686183) * Add simple dep8 tests. * Also install ca-certificates (LP: #1690270) * Initial Release. LP: #1686183 ==== ubuntu-release-upgrader: 1:21.10.8 => 1:21.10.9 ==== ==== python3-distupgrade ubuntu-release-upgrader-core * do-release-upgrade: Preserve env vars needed for screen lock prevention (LP: #1968607). * Run pre-build.sh: updating mirrors, demotions, and translations. ==== xz-utils: 5.2.5-2 => 5.2.5-2ubuntu0.1 ==== ==== liblzma5:amd64 xz-utils * SECURITY UPDATE: arbitrary file overwrite or code execution with crafted file names - debian/patches/CVE-2022-1271.patch: fix escaping of malicious filenames in src/scripts/xzgrep.in. - CVE-2022-1271 ==== zlib: 1:1.2.11.dfsg-2ubuntu7 => 1:1.2.11.dfsg-2ubuntu7.1 ==== ==== zlib1g:amd64 * SECURITY UPDATE: memory corruption when deflating - debian/patches/CVE-2018-25032-1.patch: fix a bug that can crash deflate on some input when using Z_FIXED in deflate.c, deflate.h. - debian/patches/CVE-2018-25032-2.patch: assure that the number of bits for deflatePrime() is valid in deflate.c. - CVE-2018-25032 -- [1] http://cloud-images.ubuntu.com/releases/impish/release-20220602/ [2] http://cloud-images.ubuntu.com/releases/impish/release-20220309/