A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * libxslt: 1.1.34-4 => 1.1.34-4ubuntu0.20.04.1 * linux-meta: 5.4.0.124.125 => 5.4.0.125.126 * linux-signed: 5.4.0-124.140 => 5.4.0-125.141 * open-vm-tools: 2:11.0.5-4 => 2:11.3.0-2ubuntu0~ubuntu20.04.3 * rsync: 3.1.3-8ubuntu0.3 => 3.1.3-8ubuntu0.4 The following is a complete changelog for this image. new: {'linux-modules-5.4.0-125-generic': '5.4.0-125.141', 'linux-headers-5.4.0-125': '5.4.0-125.141', 'linux-headers-5.4.0-125-generic': '5.4.0-125.141'} removed: {'linux-headers-5.4.0-124': '5.4.0-124.140', 'linux-modules-5.4.0-124-generic': '5.4.0-124.140', 'linux-headers-5.4.0-124-generic': '5.4.0-124.140'} changed: ['libxslt1.1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-5.4.0-125-generic', 'linux-image-virtual', 'linux-virtual', 'open-vm-tools', 'rsync'] new snaps: {} removed snaps: {} changed snaps: ['core20'] ==== libxslt: 1.1.34-4 => 1.1.34-4ubuntu0.20.04.1 ==== ==== libxslt1.1:amd64 * SECURITY UPDATE: Use after free - debian/patches/CVE-2021-30560.patch: fix use after free in xsltApplyTemplates in libxslt/transform.c. - CVE-2021-30560 ==== linux-meta: 5.4.0.124.125 => 5.4.0.125.126 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 5.4.0-125 ==== linux-signed: 5.4.0-124.140 => 5.4.0-125.141 ==== ==== linux-image-5.4.0-125-generic * Master version: 5.4.0-125.141 ==== open-vm-tools: 2:11.0.5-4 => 2:11.3.0-2ubuntu0~ubuntu20.04.3 ==== ==== open-vm-tools * SECURITY UPDATE: local privilege escalation - debian/patches/CVE-2022-31676.patch: check authorization on incoming guestOps requests in open-vm-tools/vgauth/serviceImpl/proto.c. - CVE-2022-31676 * d/rules: provide a compat link for the old open-vm-tools library/plugin paths (LP: #1944946) - d/open-vm-tools.postinst: handle upgrades from <11.3.0-2 in regard to the symlink * Update to latest release v11.3.0 (LP: #1933143) Remaining changes: - Revert "build-depend on libgdk-pixbuf-xlib-2.0-dev" * Dropped [ is in 11.3.0-2] - Revert "Add net-tools as dependency again." as we don't want to modify the focal seed/ISO content without a real issue behind it. * d/copyright: further fix licenses after consulting SPDX * d/copyright: state multi-license under one glob pattern * d/control: enable arm64 which is ready in 11.3.0 * d/control: drop no more needed net-tools dependency * New upstream version 11.3.0 (Closes: #990163)(LP: #1933143) - d/rules: install new binary vmwgfxctrl into open-vm-tools-desktop - d/rules: add new binary vmware-alias-import to open-vm-tools - d/rules: add new vmsvc plugins libguestStore.so and libgdp.so to open-vm-tools * d/open-vm-tools.maintscript: remove stale conffiles (Closes: #868273) * d/control: add myself to uploaders * Cleanups flagged by tracker.debian.org - d/watch: fix to work with upstreams github tags - d/control: bump Standards-Version to 4.5.1 (no changes needed) * Cleanups for various Lintian findings - d/source/lintian-overrides: allow helper scripts by setting patch-file-present-but-not-mentioned-in-series - d/{open-vm-tools,open-vm-tools-dev}.lintian-overrides tolerate package-name-doesnt-match-sonames - d/{open-vm-tools,open-vm-tools-desktop}.lintian-overrides: tolerate no-manual-page until upstream issue 526 is resolved - d/control: fix skip-systemd-native-flag-missing-pre-depends warning by adding misc:Pre-Depends - d/copyright: rename non allowed license names to fix space-in-std-shortname-in-dep5-copyright warning - d/open-vm-tools-desktop.lintian-overrides: fix setuid override - d/rules: drop no more needed handling of pam vmtoolsd-x64 - d/rules: put libs and .pc files in correct multiarch directories - d/rules: do not ship vmware-vgauth-smoketest (only meant for build&test, per upstream it can wipe system config and therefore should not be shipped after build - upstream issue 527) * d/control: Remove constraints unnecessary since stretch (from Janitor) * [7f14954] Drop max_nic_count patch. See https://github.com/vmware/open-vm-tools/issues/128 for details. * [b54d022] New upstream version 11.2.5 Thanks: John Wolfe Closes: #980190 * [d5d4593] Fix building with new gcc versions * [94ce968] build-depend on libgdk-pixbuf-xlib-2.0-dev Closes: #978262 Thanks to Lucas NUssbaum for the upload reminder. * [447d833] Update upstream source from tag 'upstream/11.2.0' Update to upstream version '11.2.0' with Debian dir 67243748d9ba09fc4e53f1ab4e921e119c981beb Closes: #972732 * [704edba] remove pam-use-common-auth-account patch. Not needed anymore * [f792922] Use upstream pam file for Debian * [5515c98] Don't recommend xserver-xorg-input-vmmouse. Thanks to Raphal Hertzog (Closes: #966465) * [8a31efc] Update upstream source from tag 'upstream/11.1.5' Update to upstream version '11.1.5' with Debian dir 62c70f15b660e7719555a78e6658ced5ca05ca35 Closes: #968688 * [09714a7] Removing patches that were applied upstream * [03d18b3] Fix gcc-10 related issues. (Closes: #957631) [ Christian Ehrhardt ] * [4d69c6a] d/p/lp-1877678-: fixes for the sdmp plugin that is new in 11.1.0. Signed-off-by: Christian Ehrhardt * [38bd11e] d/control: change net-tools dependency to iproute2. Signed-off-by: Christian Ehrhardt [ Bernd Zeimetz ] * [c15c08d] Add net-tools as dependency again. Various scripts still use ifconfig. [ Christian Ehrhardt ] * [6b7d31d] New upstream version 11.1.0 (Closes: #960061) (LP: #1877672) * [3ece93a14] d/control, d/rules, d//*sdmp*: add service discovery plugin (sdmp) (Closes: #960065) (LP: #1877678) Thanks to Oliver Kurth for the initial contribution, changes in addition: - d/control: improve description - rules fix whitespace damage - maintscripts: fixed some whihtespace damage - maintscripts: fixed maintainer scripts per skeletons from dh_make - maintscripts: added the service-active-before-restart check to postinst as well (was only in rm) - maintscripts: use deb-systemd-invoke - d/control: add further dependencies used in sdmp * [e0c9fbc14] remove patches applied upstream in 11.1.0 - d/p/4ee0bd3c8_Rectify-a-log-spew-in-vmsvc-logging-vmware-vmsvc-root.log - d/p/89c0d4445_GitHub-Issue-367.-Remove-references-to-deprecated-G_INLINE_FUNC - d/p/f1f0b812e_add-appinfo-plugin * [f4cf14931] d/rules: drop perm fixup of vm-support as it is properly in /usr/bin/ now * [d71e99e33] lintian: add overrides for intentional cases * [ba27a73eb] d/p/debian/vmxnet_fix_kernel_4.7.patch: drop unused patch * [7488e6e2f] d/copyright: fix tab in text * [8700b5e] Revert "Run vmtoolsd with Nice=-20" After discussing this issue with upstream we came to the conclusion that reverting this is the best option as it is possible to start programs trough vmtoolsd and they would also run with a nice level of -20. Upstream will fix this issue in a sane way. * [8a3a303] Add appinfo plugin. Thanks to Oliver Kurth (Closes: #954958) ==== rsync: 3.1.3-8ubuntu0.3 => 3.1.3-8ubuntu0.4 ==== ==== rsync * SECURITY UPDATE: zlib buffer overflow when inflating certain gzip hearders. - debian/patches/CVE-2022-37434-1.patch: catches overflow in inflateGetHeader by enforcing buffer size. - debian/patches/CVE-2022-37434-2.patch: prevents NULL dereference regression previous patch introduced. - CVE-2022-37434 -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20220824/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20220810/