A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * freetype: 2.10.1-2ubuntu0.1 => 2.10.1-2ubuntu0.2 * git: 1:2.25.1-1ubuntu3.4 => 1:2.25.1-1ubuntu3.5 * gnutls28: 3.6.13-2ubuntu1.6 => 3.6.13-2ubuntu1.7 * gstreamer1.0: 1.16.2-2 => 1.16.3-0ubuntu1.1 * libxml2: 2.9.10+dfsg-5ubuntu0.20.04.3 => 2.9.10+dfsg-5ubuntu0.20.04.4 * linux-meta: 5.4.0.122.123 => 5.4.0.124.125 * linux-signed: 5.4.0-122.138 => 5.4.0-124.140 * netplan.io: 0.104-0ubuntu2~20.04.1 => 0.104-0ubuntu2~20.04.2 * pyjwt: 1.7.1-2ubuntu2 => 1.7.1-2ubuntu2.1 * python3.8: 3.8.10-0ubuntu1~20.04.4 => 3.8.10-0ubuntu1~20.04.5 The following is a complete changelog for this image. new: {'linux-headers-5.4.0-124': '5.4.0-124.140', 'linux-modules-5.4.0-124-generic': '5.4.0-124.140', 'linux-headers-5.4.0-124-generic': '5.4.0-124.140'} removed: {'linux-headers-5.4.0-122-generic': '5.4.0-122.138', 'linux-headers-5.4.0-122': '5.4.0-122.138', 'linux-modules-5.4.0-122-generic': '5.4.0-122.138'} changed: ['git', 'git-man', 'libfreetype6:amd64', 'libgnutls30:amd64', 'libgstreamer1.0-0:amd64', 'libnetplan0:amd64', 'libpython3.8-minimal:amd64', 'libpython3.8-stdlib:amd64', 'libpython3.8:amd64', 'libxml2:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-124-generic', 'linux-image-virtual', 'linux-virtual', 'netplan.io', 'python3-jwt', 'python3.8', 'python3.8-minimal'] new snaps: {} removed snaps: {} changed snaps: ['core20'] ==== freetype: 2.10.1-2ubuntu0.1 => 2.10.1-2ubuntu0.2 ==== ==== libfreetype6:amd64 * SECURITY UPDATE: Heap buffer overflow in sfnt_init_face - debian/patches/CVE-2022-27404.patch: avoid invalid face index in src/sfnt/sfobjs.c. - CVE-2022-27404 * SECURITY UPDATE: Segmentation violation in FNT_Size_Request - debian/patches/CVE-2022-27405.patch: properly guard face_index in src/base/ftobjs.c. - CVE-2022-27405 * SECURITY UPDATE: Segmentation violation in FT_Request_Size - debian/patches/CVE-2022-27406.patch: guard face->size in src/base/ftobjs.c. - CVE-2022-27406 * SECURITY UPDATE: Heap-based buffer overflow in ftbench demo - debian/patches/CVE-2022-31782.patch: check the number of glyphs in ft2demos/src/ftbench.c. - CVE-2022-31782 ==== git: 1:2.25.1-1ubuntu3.4 => 1:2.25.1-1ubuntu3.5 ==== ==== git git-man * SECURITY UPDATE: Potential arbitrary code execution - debian/patches/CVE-2022-29187-1.patch: adds test to regression git needs safe.directory when using sudo in t/t0034-root-safe-directory.sh. - debian/patches/CVE-2022-29187-2.patch: avoid failing dir ownership checks if running privileged in git-compat-util.h, t/t0034-root-safe-directory.sh. - debian/patches/CVE-2022-29187-3.patch: add negative tests and allow git init to mostly work under sudo in t/lib-sudo.sh b/t/lib-sudo.sh. - debian/patches/CVE-2022-29187-4.patch: allow root to access both SUDO_UID and root owned in git-compat-util.h, t/t0034-root-safe-directory.sh. - debian/patches/CVE-2022-29187-5.patch: add tests for safe.directory in t/t0033-safe-directory.sh, setup.c. - debian/patches/CVE-2022-29187-6.patch: tighten ownership checks post CVE-2022-24765 in setup.c. - CVE-2022-29187 ==== gnutls28: 3.6.13-2ubuntu1.6 => 3.6.13-2ubuntu1.7 ==== ==== libgnutls30:amd64 * SECURITY UPDATE: Null pointer dereference in MD_UPDATE - debian/patches/CVE-2021-4209.patch: avoid calling _update with zero-length input in lib/nettle/mac.c. - CVE-2021-4209 * SECURITY UPDATE: Double free in verification of pkcs7 signatures - debian/patches/CVE-2022-2509.patch: fix double free during gnutls_pkcs7_verify in lib/x509/pkcs7.c, tests/pkcs7-verify-double-free.c, tests/Makefile.am. - CVE-2022-2509 ==== gstreamer1.0: 1.16.2-2 => 1.16.3-0ubuntu1.1 ==== ==== libgstreamer1.0-0:amd64 * Build no change * New upstream stable release (LP: #1962135) - Drop patches 0001-Revert-device-Enforce-that-elements-created-by-gst_d and 0002-Revert-element-Enforce-that-elements-created-by-gst_ (applied upstream). ==== libxml2: 2.9.10+dfsg-5ubuntu0.20.04.3 => 2.9.10+dfsg-5ubuntu0.20.04.4 ==== ==== libxml2:amd64 * SECURITY UPDATE: Possible cross-site scripting - debian/patches/CVE-2016-3709.patch: Revert "do not URI escape in server side includes" in HTMLtree.c. - CVE-2016-3709 ==== linux-meta: 5.4.0.122.123 => 5.4.0.124.125 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-124 * Bump ABI 5.4.0-123 * Packaging resync (LP: #1786013) - [Packaging] resync debian/dkms-versions from main package ==== linux-signed: 5.4.0-122.138 => 5.4.0-124.140 ==== ==== linux-image-5.4.0-124-generic * Master version: 5.4.0-124.140 * Master version: 5.4.0-123.139 ==== netplan.io: 0.104-0ubuntu2~20.04.1 => 0.104-0ubuntu2~20.04.2 ==== ==== libnetplan0:amd64 netplan.io * Cherry pick d/p/dbus-Remove-the-upper-limit-on-try-timeout.patch (LP: #1967084) * Cherry-pick fix for rendering WPA3 password (8934a1b), LP: #1975576 + d/p/0010-nm-fix-rendering-of-password-for-unknown-passthrough.patch * Backport offloading tristate patches (LP: #1956264) + d/p/0003-Add-tristate-type-for-offload-options-LP-1956264-270.patch + d/p/0004-tests-ethernets-fix-autopkgtest-with-alternating-def.patch + d/t/control: add 'ethtool' test-dep for link offloading tests ==== pyjwt: 1.7.1-2ubuntu2 => 1.7.1-2ubuntu2.1 ==== ==== python3-jwt * SECURITY UPDATE: Signing key confusion via public key signature - debian/patches/CVE-2022-29217.patch: update jwt/algorithms.py to disallow using SSH keys as a HMAC secret. - CVE-2022-29217 ==== python3.8: 3.8.10-0ubuntu1~20.04.4 => 3.8.10-0ubuntu1~20.04.5 ==== ==== libpython3.8-minimal:amd64 libpython3.8-stdlib:amd64 libpython3.8:amd64 python3.8 python3.8-minimal * SECURITY UPDATE: Injection Attack - debian/patches/CVE-2015-20107.patch: Make mailcap refuse to match unsafe filenames/types/param in Lib/mailcap.py, Lib/test/test_mailcap.py. - CVE-2015-20107 -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20220810/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20220711/