A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * alsa-lib: 1.2.2-2.1ubuntu1 => 1.2.2-2.1ubuntu2 * alsa-ucm-conf: 1.2.2-1ubuntu0.1 => 1.2.2-1ubuntu0.2 * apport: 2.20.11-0ubuntu27.6 => 2.20.11-0ubuntu27.8 * base-files: 11ubuntu5.1 => 11ubuntu5.2 * bcache-tools: 1.0.8-3 => 1.0.8-3ubuntu0.1 * bind9: 1:9.16.1-0ubuntu2.2 => 1:9.16.1-0ubuntu2.3 * bind9-libs: 1:9.11.16+dfsg-3~build1 => 1:9.11.16+dfsg-3~ubuntu1 * command-not-found: 20.04.2 => 20.04.4 * curl: 7.68.0-1ubuntu2.1 => 7.68.0-1ubuntu2.2 * grub2: 2.04-1ubuntu26.2 => 2.04-1ubuntu26.3 * grub2-signed: 1.142.4+2.04-1ubuntu26.2 => 1.142.5+2.04-1ubuntu26.3 * libx11: 2:1.6.9-2ubuntu1 => 2:1.6.9-2ubuntu1.1 * linux-meta: 5.4.0.42.46 => 5.4.0.45.49 * linux-signed: 5.4.0-42.46 => 5.4.0-45.49 * pam: 1.3.1-5ubuntu4 => 1.3.1-5ubuntu4.1 * rsyslog: 8.2001.0-1ubuntu1 => 8.2001.0-1ubuntu1.1 * software-properties: 0.98.9.1 => 0.98.9.2 * sudo: 1.8.31-1ubuntu1 => 1.8.31-1ubuntu1.1 * tmux: 3.0a-2 => 3.0a-2ubuntu0.1 * ubuntu-meta: 1.450.1 => 1.450.2 * ubuntu-release-upgrader: 1:20.04.23 => 1:20.04.24 * unattended-upgrades: 2.3 => 2.3ubuntu0.1 * xz-utils: 5.2.4-1 => 5.2.4-1ubuntu1 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-45': '5.4.0-45.49', 'linux-modules-5.4.0-45-generic': '5.4.0-45.49', 'motd-news-config': '11ubuntu5.2', 'linux-headers-5.4.0-45-generic': '5.4.0-45.49'} removed: {'linux-headers-5.4.0-42-generic': '5.4.0-42.46', 'linux-headers-5.4.0-42': '5.4.0-42.46', 'linux-modules-5.4.0-42-generic': '5.4.0-42.46'} changed: ['alsa-ucm-conf', 'apport', 'base-files', 'bcache-tools', 'bind9-dnsutils', 'bind9-host', 'bind9-libs:amd64', 'command-not-found', 'curl', 'grub-common', 'grub-efi-amd64-bin', 'grub-efi-amd64-signed', 'grub-pc', 'grub-pc-bin', 'grub2-common', 'libasound2-data', 'libasound2:amd64', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libdns-export1109', 'libisc-export1105:amd64', 'liblzma5:amd64', 'libpam-modules-bin', 'libpam-modules:amd64', 'libpam-runtime', 'libpam0g:amd64', 'libx11-6:amd64', 'libx11-data', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-45-generic', 'linux-image-virtual', 'linux-virtual', 'python3-apport', 'python3-commandnotfound', 'python3-distupgrade', 'python3-problem-report', 'python3-software-properties', 'rsyslog', 'software-properties-common', 'sudo', 'tmux', 'ubuntu-minimal', 'ubuntu-release-upgrader-core', 'ubuntu-server', 'ubuntu-standard', 'unattended-upgrades', 'xz-utils'] new snaps: {} removed snaps: {} changed snaps: ['core18', 'lxd', 'snapd'] ==== alsa-lib: 1.2.2-2.1ubuntu1 => 1.2.2-2.1ubuntu2 ==== ==== libasound2-data libasound2:amd64 * d/p/0001-conf-add-snd_config_is_array-function.patch * d/p/0001-Enabled-extended-namehints-in-alsa.conf.patch * d/p/0002-topology-use-snd_config_is_array-function.patch * d/p/0003-ucm-merge-the-array-items-from-the-condition-blocks.patch * d/p/0004-ucm-parse-SectionOnce-section-in-the-master-UCM-conf.patch * d/p/0005-ucm-execute-SectionDefaults-lately-when-the-first-ve.patch * d/p/0006-ucm-handle-set-_once-command.patch * d/p/0007-ucm-handle-set-_defaults-command.patch * d/p/0008-ucm-initialize-mgr-once_list.patch * d/p/0009-ucm-fix-SectionOnce-comment.patch * d/p/0010-ucm-fix-compilation-error-in-set_defaults_user.patch * d/p/0011-ucm-rename-SectionOnce-to-BootSequence.patch * d/p/0012-ucm-rename-_once-command-to-_boot-command.patch * d/p/0013-ucm-configuration-implement-in-place-Include.patch * d/p/0014-ucm-configuration-substitute-ConfDir-and-ConfTopDir.patch * d/p/0015-ucm-config-substitute-File-string-to-allow-variables.patch * d/p/0016-ucm-configuration-allow-to-define-the-configuration-.patch * d/p/0017-ucm-configuration-add-DefineRegex.patch * d/p/0018-ucm-substitute-arguments-in-sequences.patch * d/p/0019-ucm-allow-syntax-version-3.patch * d/p/0020-ucm-config-change-the-in-place-include-evaluation-or.patch * d/p/0021-ucm-allow-to-specify-the-toplevel-directory-using-as.patch * d/p/0022-ucm-substitute-also-value-strings.patch * d/p/0023-ucm-handle-strict-prefix-correctly-for-the-UCM-card-.patch * d/p/0024-ucm-String-condition-implement-Empty.patch * d/p/0025-ucm-Define-DefineRegex-is-supported-in-Syntax-3.patch * d/p/0026-ucm-substitute-OpenName.patch * d/p/0027-ucm-substitute-CardNumber.patch * d/p/0028-ucm-implement-the-toplevel-ucm-configuration-file-pa.patch * d/p/0029-ucm-substitute-device-modifier-names-too.patch * d/p/0030-ucm-substitute-device-strings-in-the-device-lists.patch * d/p/0031-ucm-substitute-component-sequence-string.patch * d/p/0032-ucm-substitute-verb-name-and-file-field.patch * d/p/0033-ucm-substitute-Comment-in-Transition-and-Device.patch * d/p/0034-ucm-substitute-RenameDevice-and-DeleteDevice-lists.patch * d/p/0035-ucm-substitute-arguments-in-sequences-only-for-synta.patch * d/p/0036-ucm-shuffle-code-in-compound_merge.patch * d/p/0037-ucm-implement-CardIdByName-substitution.patch * d/p/0038-ucm-allow-to-ignore-errors-for-the-value-substitutio.patch * d/p/0039-ucm-allow-to-use-the-defined-variables-in-the-substi.patch * d/p/0040-ucm-implement-CardNumberByName-substitution.patch * d/p/0041-ucm-fix-the-possible-buffer-overflow-substitution.patch * d/p/0042-ucm-simplify-get_by_card-in-parser.c.patch * d/p/0043-ucm-implement-AlwaysTrue-Condition.Type.patch * d/p/0044-ucm-Allow-empty-strings-in-var-.-substitutions.patch * d/p/0045-ucm-substitution-remove-duplicate-allow_empty-assign.patch * d/p/0046-ucm-fix-parse_get_safe_name-safe-name-must-be-checke.patch * d/p/0047-ucm-substitute-the-merged-tree-completely.patch * add Breaks alsa-ucm-conf (<= 1.2.2-1ubuntu0.1) in the d/control * add snd_config_is_array@ALSA_0.9 1.2.2-2.1ubuntu2 in the d/libasound2.symbols - enable sound on AMD Renoir machines (LP: #1889217) [ Kai-Heng Feng ] * d/p/0048-conf-USB-Audio-Disable-IEC958-on-Lenovo-ThinkStation.patch - Disable IEC958 on Lenovo ThinkStation P620 (LP: #1891461) ==== alsa-ucm-conf: 1.2.2-1ubuntu0.1 => 1.2.2-1ubuntu0.2 ==== ==== alsa-ucm-conf * d/p/0003-ucm-fix-wrong-If-in-sequence-in-HiFi-dual.conf.patch * d/p/0004-ucm2-add-initial-ucm.conf-for-the-latest-alsa-lib.patch * d/p/0005-sof-hda-dsp-don-t-fail-if-Auto-Mute-control-is-not-p.patch * d/p/0006-ucm.conf-add-support-for-the-kernel-module-name-tree.patch * d/p/0007-sof-hda-dsp-make-Headphone-Playback-Switch-condition.patch * d/p/0008-sof-soundwire-initial-UCM2-version.patch * d/p/0009-sof-soundwire-cleanups-recommended-by-the-ucm-valida.patch * d/p/0010-sof-soundwire-rewrite-for-syntax-3.patch * d/p/0011-HDA-Intel-add-support-for-AMD-acp-microphone-devices.patch * d/p/0012-hda-hdmi-add-HDMI4-HDMI5-HDMI6-devices.patch * d/p/0013-amd-renoir-acp-use-the-machine-driver-s-name-for-top.patch * d/p/0014-amd-renoir-acp-add-syntax-in-the-Linked.patch * d/p/0015-HDA-Intel-only-bind-the-acp-dmic-to-the-soundcard-wi.patch * d/p/0016-Fix-invalid-Regex-Type-in-various-Condition-blocks.patch enable sound on AMD Renoir machines (LP: #1889217) [ Kai-Heng Feng ] * d/p/0017-Add-support-for-Lenovo-ThinkStation-P620-Main-Audio.patch Add proper stream and jack assignment to Lenovo ThinkStation P620 (LP: #1891461) ==== apport: 2.20.11-0ubuntu27.6 => 2.20.11-0ubuntu27.8 ==== ==== apport python3-apport python3-problem-report [Brian Murray] * Fix pep8 errors regarding ambiguous variables. * d/control: Offer real package alternatives along with x-terminal-server for apport-gtk and apport-kde (LP: #1881976) ==== base-files: 11ubuntu5.1 => 11ubuntu5.2 ==== ==== base-files [ Andreas Hasenack ] * motd/50-motd-news: don't include uptime in the user-agent string (LP: #1886572) * Move the /etc/default/motd-news conffile to the motd-news-config package (LP: #1888575): - d/base-files.maintscript: remove /etc/default/motd-news config file on upgrade - d/control: break on ubuntu-server << 1.450.2 to force an upgrade if it is installed, which will pull motd-news-config and the conffile back in - d/motd-news-config.postinst: + handle the upgrade case where the motd-news config file was changed while it belonged to base-files + disable motd-news if the config file was removed by hand before the upgrade - d/postinst.in: signal the motd-news-config package if the motd-news config file was removed manually before the upgrade - d/control: new motd-news-config package, carrying the configuration file for the /etc/update-motd.d/50-motd-news script. - d/rules, d/motd-news-config.install: /e/d/motd-news is in the motd-news-config package now [ Steve Langasek ] * motd/50-motd-news: use wget instead of curl, since wget is standard but curl is optional (LP: #1888572): - This changes the timeout behavior slightly because wget does not have an exact equivalent to curl's --max-time argument, we are using --timeout instead. ==== bcache-tools: 1.0.8-3 => 1.0.8-3ubuntu0.1 ==== ==== bcache-tools [ Ryan Harper ] * Add helper script to read bcache devs superblock (LP: #1861941) ==== bind9: 1:9.16.1-0ubuntu2.2 => 1:9.16.1-0ubuntu2.3 ==== ==== bind9-dnsutils bind9-host bind9-libs:amd64 * SECURITY UPDATE: A specially crafted large TCP payload can trigger an assertion failure - debian/patches/CVE-2020-8620.patch: add extra checks to lib/isc/netmgr/netmgr-int.h, lib/isc/netmgr/netmgr.c, lib/isc/netmgr/tcp.c, lib/isc/netmgr/udp.c. - CVE-2020-8620 * SECURITY UPDATE: Attempting QNAME minimization after forwarding can lead to an assertion failure - debian/patches/CVE-2020-8621.patch: disable QNAME minimization in lib/dns/resolver.c. - CVE-2020-8621 * SECURITY UPDATE: A truncated TSIG response can lead to an assertion failure - debian/patches/CVE-2020-8622.patch: move code in lib/dns/message.c. - CVE-2020-8622 * SECURITY UPDATE: A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure - debian/patches/CVE-2020-8623.patch: add extra checks in lib/dns/pkcs11rsa_link.c, lib/isc/include/pk11/internal.h, lib/isc/pk11.c. - CVE-2020-8623 * SECURITY UPDATE: update-policy rules of type subdomain were enforced incorrectly - debian/patches/CVE-2020-8624.patch: add extra check in bin/named/zoneconf.c. - CVE-2020-8624 ==== bind9-libs: 1:9.11.16+dfsg-3~build1 => 1:9.11.16+dfsg-3~ubuntu1 ==== ==== libdns-export1109 libisc-export1105:amd64 * debian/patches/fix-1872118.patch: Check if pending_send if set before calling dispatch_send to avoid assertion. Fixes LP: #1872118. ==== command-not-found: 20.04.2 => 20.04.4 ==== ==== command-not-found python3-commandnotfound * Avoid crash if tmpdb is locked. Skip execution and let the other process do its job. (LP: #1875760) ==== curl: 7.68.0-1ubuntu2.1 => 7.68.0-1ubuntu2.2 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: wrong connect-only connection - debian/patches/CVE-2020-8231.patch: remember last connection by id, not by pointer in lib/connect.c, lib/easy.c, lib/multi.c, lib/url.c, lib/urldata.h. - CVE-2020-8231 ==== grub2: 2.04-1ubuntu26.2 => 2.04-1ubuntu26.3 ==== ==== grub-common grub-efi-amd64-bin grub-pc grub-pc-bin grub2-common * 2.04-1ubuntu27 and 2.04-1ubuntu28 folded together for focal * debian/patches/ubuntu-flavour-order.patch: - Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel flavours as preferred, and specify an order between those preferred flavours (LP: #1882663) * debian/patches/ubuntu-zfs-enhance-support.patch: - Use version_find_latest for ordering kernels, so it also supports the GRUB_FLAVOUR_ORDER setting. * debian/patches/ubuntu-dont-verify-loopback-images.patch: - disk/loopback: Don't verify loopback images (LP: #1878541), Thanks to Chris Coulson for the patch * debian/patches/ubuntu-recovery-dis_ucode_ldr.patch - Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789) * debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: - Merge changes from xnox to fix multiple initrds support (LP: #1878705) * debian/patches/ubuntu-clear-invalid-initrd-spacing.patch: - Remove, no longer needed thanks to xnox's patch * Ensure that grub-multi-install can always find templates (LP: #1879948) ==== grub2-signed: 1.142.4+2.04-1ubuntu26.2 => 1.142.5+2.04-1ubuntu26.3 ==== ==== grub-efi-amd64-signed * Rebuild against grub2 2.04-1ubuntu26.3. ==== libx11: 2:1.6.9-2ubuntu1 => 2:1.6.9-2ubuntu1.1 ==== ==== libx11-6:amd64 libx11-data * SECURITY UPDATE: integer overflow and heap overflow in XIM client - debian/patches/CVE-2020-14344-1.patch: fix signed length values in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-2.patch: fix integer overflows in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-3.patch: fix more unchecked lengths in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-4.patch: zero out buffers in functions in modules/im/ximcp/imDefIc.c, modules/im/ximcp/imDefIm.c. - debian/patches/CVE-2020-14344-5.patch: change the data_len parameter to CARD16 in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-6.patch: fix size calculation in modules/im/ximcp/imRmAttr.c. - debian/patches/CVE-2020-14344-7.patch: fix input clients connecting to server in modules/im/ximcp/imRmAttr.c. - CVE-2020-14344 * SECURITY UPDATE: integer overflow and double free in locale handling - debian/patches/CVE-2020-14363.patch: fix an integer overflow in modules/om/generic/omGeneric.c. - CVE-2020-14363 ==== linux-meta: 5.4.0.42.46 => 5.4.0.45.49 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-45 * Bump ABI 5.4.0-44 * Bump ABI 5.4.0-43 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.4.0-42.46 => 5.4.0-45.49 ==== ==== linux-image-5.4.0-45-generic * Master version: 5.4.0-45.49 * Master version: 5.4.0-44.48 * Master version: 5.4.0-43.47 ==== pam: 1.3.1-5ubuntu4 => 1.3.1-5ubuntu4.1 ==== ==== libpam-modules-bin libpam-modules:amd64 libpam-runtime libpam0g:amd64 * debian/libpam-modules.postinst: Add /snap/bin to $PATH in /etc/environment. (LP: #1659719) ==== rsyslog: 8.2001.0-1ubuntu1 => 8.2001.0-1ubuntu1.1 ==== ==== rsyslog * d/rsyslog.postinst: (LP: #1890177) - Fix Permission denied access to /dev/console for privilege drop user and group syslog:syslog. ==== software-properties: 0.98.9.1 => 0.98.9.2 ==== ==== python3-software-properties software-properties-common * SECURITY UPDATE: malicious repo could send ANSI sequences to terminal (LP: #1890286) - add-apt-repository: strip ANSI sequences from the description. - CVE-2020-15709 ==== sudo: 1.8.31-1ubuntu1 => 1.8.31-1ubuntu1.1 ==== ==== sudo * d/p/ignore-rlimit-core-failure.patch: Ignore a failure to restore the RLIMIT_CORE resource limit. Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY if we set the limit to zero, even for root. RLIMIT_NPROC is also not allowed to be set back. This is not a problem outside the container. (LP: #1857036) ==== tmux: 3.0a-2 => 3.0a-2ubuntu0.1 ==== ==== tmux * Fix "regression: splitting panes does not cause a resize in backgrounded tmux" (LP: #1875109) - d/p/limit-lazy-resize-to-panes-in-attached-sessions-only.patch: New patch to limit the "lazy resize" to panes in attached sessions only. The panes in unattached sessions are resized immediately. ==== ubuntu-meta: 1.450.1 => 1.450.2 ==== ==== ubuntu-minimal ubuntu-server ubuntu-standard * d/control: have ubuntu-server depend on motd-news-config (LP: #1888575) ==== ubuntu-release-upgrader: 1:20.04.23 => 1:20.04.24 ==== ==== python3-distupgrade ubuntu-release-upgrader-core * DistUpgrade/DistUpgradeCache.py: Ensure that the linux metapackage is never removed during a distribution upgrade. (LP: #1889449) ==== unattended-upgrades: 2.3 => 2.3ubuntu0.1 ==== ==== unattended-upgrades [ Balint Reczey ] * Fix checking if an upgrade/install marking succeeded. The false negative result caused unattended-upgrades trying to apply workarounds to upgrade/install the package using excessive amount of CPU time. (Closes: #958883) (LP: #1877769) * Fix indentation and type error (LP: #1883082) [ Jose Manuel Santamaria Lema ] * Fix crash occuring when strict whitelist is in use (LP: #1883082) ==== xz-utils: 5.2.4-1 => 5.2.4-1ubuntu1 ==== ==== liblzma5:amd64 xz-utils * Use the generic % rule in debian/rules, otherwise it FTBFS with debhelper 12.5. Closes: #945961. LP: #1870088. -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20200902/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20200804/