A new release of the Ubuntu Cloud Images for stable Ubuntu release 16.04 LTS (Xenial Xerus) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * accountsservice: 0.6.40-2ubuntu11.3 => 0.6.40-2ubuntu11.6 * apport: 2.20.1-0ubuntu2.25 => 2.20.1-0ubuntu2.26 * ca-certificates: 20190110~16.04.1 => 20201027ubuntu0.16.04.1 * distro-info-data: 0.28ubuntu0.14 => 0.28ubuntu0.16 * freetype: 2.6.1-0.1ubuntu2.4 => 2.6.1-0.1ubuntu2.5 * linux-meta: 4.4.0.193.199 => 4.4.0.194.200 * linux-signed: 4.4.0-193.224 => 4.4.0-194.226 * openldap: 2.4.42+dfsg-2ubuntu3.9 => 2.4.42+dfsg-2ubuntu3.10 * perl: 5.22.1-9ubuntu0.6 => 5.22.1-9ubuntu0.9 * python3.5: 3.5.2-2ubuntu0~16.04.11 => 3.5.2-2ubuntu0~16.04.12 * python-cryptography: 1.2.3-1ubuntu0.2 => 1.2.3-1ubuntu0.3 * snapd: 2.46.1 => 2.47.1 * tzdata: 2020a-0ubuntu0.16.04 => 2020d-0ubuntu0.16.04 * ubuntu-release-upgrader: 1:16.04.30 => 1:16.04.32 * vim: 2:7.4.1689-3ubuntu1.4 => 2:7.4.1689-3ubuntu1.5 The following is a complete changelog for this image. new: {'linux-headers-4.4.0-194': '4.4.0-194.226', 'linux-modules-4.4.0-194-generic': '4.4.0-194.226', 'linux-headers-4.4.0-194-generic': '4.4.0-194.226'} removed: {'linux-modules-4.4.0-193-generic': '4.4.0-193.224', 'linux-headers-4.4.0-193': '4.4.0-193.224', 'linux-headers-4.4.0-193-generic': '4.4.0-193.224'} changed: ['accountsservice', 'apport', 'ca-certificates', 'distro-info-data', 'libaccountsservice0:amd64', 'libfreetype6:amd64', 'libldap-2.4-2:amd64', 'libperl5.22:amd64', 'libpython3.5-minimal:amd64', 'libpython3.5-stdlib:amd64', 'libpython3.5:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.4.0-194-generic', 'linux-image-virtual', 'linux-virtual', 'perl', 'perl-base', 'perl-modules-5.22', 'python3-apport', 'python3-cryptography', 'python3-distupgrade', 'python3-problem-report', 'python3.5', 'python3.5-minimal', 'snapd', 'tzdata', 'ubuntu-core-launcher', 'ubuntu-release-upgrader-core', 'vim', 'vim-common', 'vim-runtime', 'vim-tiny'] new snaps: {} removed snaps: {} changed snaps: [] ==== accountsservice: 0.6.40-2ubuntu11.3 => 0.6.40-2ubuntu11.6 ==== ==== accountsservice libaccountsservice0:amd64 * SECURITY UPDATE: accountsservice drop privileges SIGSTOP DoS (LP: #1900255) - debian/patches/0010-set-language.patch: updated to not drop real uid and real gid in user_drop_privileges_to_user. - debian/patches/0009-language-tools.patch: updated to not reset effective uid. - CVE-2020-16126 * SECURITY UPDATE: directory traversal issue - debian/patches/CVE-2018-14036.patch: fix insufficient path prefix check in src/user.c. - CVE-2018-14036 ==== apport: 2.20.1-0ubuntu2.25 => 2.20.1-0ubuntu2.26 ==== ==== apport python3-apport python3-problem-report * data/apport: In the event that the crashing executable does not exist on disk any more the path name of the executable (passed by core) is appended with '(deleted)' because apport is currently using sys.argv for argument parsing there end up being too many arguments and apport crashes. This is fixed by adding handling for six arguments. (LP: #1899195) ==== ca-certificates: 20190110~16.04.1 => 20201027ubuntu0.16.04.1 ==== ==== ca-certificates * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority bundle to version 2.44. (LP: #1900727) ==== distro-info-data: 0.28ubuntu0.14 => 0.28ubuntu0.16 ==== ==== distro-info-data * Add Ubuntu 21.04, Hirsute Hippo (LP: #1901361). ==== freetype: 2.6.1-0.1ubuntu2.4 => 2.6.1-0.1ubuntu2.5 ==== ==== libfreetype6:amd64 * SECURITY UPDATE: heap buffer overflow via integer truncation in Load_SBit_Png - debian/patches-freetype/CVE-2020-15999.patch: Update src/sfnt/pngshim.c to test and reject invalid bitmap size earlier in Load_SBit_Png. Based on upstream patch. - CVE-2020-15999 ==== linux-meta: 4.4.0.193.199 => 4.4.0.194.200 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.4.0-194 ==== linux-signed: 4.4.0-193.224 => 4.4.0-194.226 ==== ==== linux-image-4.4.0-194-generic * Master version: 4.4.0-194.226 ==== openldap: 2.4.42+dfsg-2ubuntu3.9 => 2.4.42+dfsg-2ubuntu3.10 ==== ==== libldap-2.4-2:amd64 * SECURITY UPDATE: DoS via NULL pointer dereference - debian/patches/CVE-2020-25692.patch: skip normalization if there's no equality rule in servers/slapd/modrdn.c. - CVE-2020-25692 ==== perl: 5.22.1-9ubuntu0.6 => 5.22.1-9ubuntu0.9 ==== ==== libperl5.22:amd64 perl perl-base perl-modules-5.22 * SECURITY UPDATE: heap buffer overflow in regex compiler - debian/patches/fixes/CVE-2020-10543.patch: prevent integer overflow from nested regex quantifiers in regcomp.c. - CVE-2020-10543 * SECURITY UPDATE: regex intermediate language state corruption - debian/patches/fixes/CVE-2020-10878.patch: extract rck_elide_nothing in embed.fnc, embed.h, proto.h, regcomp.c. - CVE-2020-10878 * SECURITY UPDATE: regex intermediate language state corruption - debian/patches/fixes/CVE-2020-12723.patch: avoid mutating regexp program within GOSUB in embed.fnc, embed.h, proto.h, regcomp.c, t/re/pat.t. - CVE-2020-12723 * debian/patches/fixes/fix_test_2020.patch: fix FTBFS caused by test failing in the year 2020 in cpan/Time-Local/t/Local.t. ==== python-cryptography: 1.2.3-1ubuntu0.2 => 1.2.3-1ubuntu0.3 ==== ==== python3-cryptography * SECURITY UPDATE: Bleichenbacher timing oracle attack - debian/patches/CVE-2020-25659.patch: Attempt to mitigate Bleichenbacher attacks on RSA decryption docs/spelling_wordlist.txt, src/cryptography/hazmat/backends/openssl/rsa.py. - CVE-2020-25659 ==== python3.5: 3.5.2-2ubuntu0~16.04.11 => 3.5.2-2ubuntu0~16.04.12 ==== ==== libpython3.5-minimal:amd64 libpython3.5-stdlib:amd64 libpython3.5:amd64 python3.5 python3.5-minimal * SECURITY UPDATE: CRLF injection - debian/patches/CVE-2020-26116.patch: prevent header injection in http methods in Lib/httplib.py, Lib/test/test_httlib.py. - CVE-2020-26116 * debian/patches/skipping_broken_test_httphandlertest.patch: - skipping Lib/test/test_logging.py was hanging during building time causing the building to be killed after 150 minutes of hang. ==== snapd: 2.46.1 => 2.47.1 ==== ==== snapd ubuntu-core-launcher * New upstream release, LP: #1895929 - o/configstate: create /etc/sysctl.d when applying early config defaults - cmd/snap-bootstrap/initramfs-mounts: also copy /etc/machine-id for same IP addr - packaging/{ubuntu,debian}: add liblzo2-dev as a dependency for building snapd - cmd/snap: allow snap help vs --all to diverge purposefully - snap: snap help output refresh * New upstream release, LP: #1895929 - tests: fix nested core20 shellcheck bug - many/apparmor: adjust rule for reading apparmor profile for new kernel - snap-repair: add uc20 support - cmd/snap/auto-import: stop importing system user assertions from initramfs mnts - cmd/s-b/initramfs-mounts: use ConfigureTargetSystem for install, recover modes - gadget: resolve device mapper devices for fallback device lookup - secboot: add boot manager profile to pcr protection profile - sysconfig,o/devicestate: mv DisableNoCloud to DisableAfterLocalDatasourcesRun - tests: make gadget-reseal more robust - tests: skip nested images pre-configuration by default - tests: fix for basic20 test running on external backend and rpi - tests: improve kernel reseal test - boot: adjust comments, naming, log success around reseal - tests/nested, fakestore: changes necessary to run nested uc20 signed/secured tests - tests: add nested core20 gadget reseal test - boot/modeenv: track unknown keys in Read and put back into modeenv during Write - interfaces/process-control: add sched_setattr to seccomp - boot: with unasserted kernels reseal if there's a hint modeenv changed - client: bump the default request timeout to 120s - configcore: do not error in console-conf.disable for install mode - boot: streamline bootstate20.go reseal and tests changes - boot: reseal when changing kernel - cmd/snap/model: specify grade in the model command output - tests: simplify repack_snapd_snap_with_deb_content_and_run_mode_first_boot_tweaks - test: improve logging in nested tests - nested: add support to telnet to serial port in nested VM - secboot: use the snapcore/secboot native recovery key type - tests/lib/nested.sh: use more focused cloud-init config for uc20 - tests/lib/nested.sh: wait for the tpm socket to exist - spread.yaml, tests/nested: misc changes - tests: add more checks to disk space awareness spread test - tests: disk space awareness spread test - boot: make MockUC20Device use a model and MockDevice more realistic - boot,many: reseal only when meaningful and necessary - tests/nested/core20/kernel-failover: add test for failed refresh of uc20 kernel - tests: fix nested to work with qemu and kvm - boot: reseal when updating boot assets - tests: fix snap-routime-portal-info test - boot: verify boot chain file in seal and reseal tests - tests: use full path to test-snapd-refresh.version binary - boot: store boot chains during install, helper for checking whether reseal is needed - boot: add call to reseal an existing key - boot: consider boot chains with unrevisioned kernels incomparable - overlord: assorted typos and miscellaneous changes - boot: group SealKeyModelParams by model, improve testing - secboot: adjust parameters to buildPCRProtectionProfile - strutil: add SortedListsUniqueMergefrom the doc comment: - snap/naming: upgrade TODO to TODO:UC20 - secboot: add call to reseal an existing key - boot: in seal.go adjust error message and function names - o/snapstate: check available disk space in RemoveMany - boot: build bootchains data for sealing - tests: remove "set -e" from function only shell libs - o/snapstate: disk space check on UpdateMany - o/snapstate: disk space check with snap update - snap: implement new `snap reboot` command - boot: do not reorder boot assets when generating predictable boot chains and other small tweaks - tests: some fixes and improvements for nested execution - tests/core/uc20-recovery: fix check for at least specific calls to mock-shutdown - boot: be consistent using bootloader.Role* consts instead of strings - boot: helper for generating secboot load chains from a given boot asset sequence - boot: tweak boot chains to support a list of kernel command lines, keep track of model and kernel boot file - boot,secboot: switch to expose and use snapcore/secboot load event trees - tests: use `nested_exec` in core{20,}-early-config test - devicestate: enable cloud-init on uc20 for grade signed and secured - boot: add "rootdir" to baseBootenvSuite and use in tests - tests/lib/cla_check.py: don't allow users.noreply.github.com commits to pass CLA - boot: represent boot chains, helpers for marshalling and equivalence checks - boot: mark successful with boot assets - client, api: handle insufficient space error - o/snapstate: disk space check with single snap install - configcore: "service.console-conf.disable" is gadget defaults only - packaging/opensuse: fix for /usr/libexec on TW, do not hardcode AppArmor profile path - tests: skip udp protocol in nfs-support test on ubuntu-20.10 - packaging/debian-sid: tweak code preparing _build tree - many: move seal code from gadget/install to boot - tests: remove workaround for cups on ubuntu-20.10 - client: implement RebootToSystem - many: seed.Model panics now if called before LoadAssertions - daemon: add /v2/systems "reboot" action API - github: run tests also on push to release branches - interfaces/bluez: let slot access audio streams - seed,c/snap-bootstrap: simplify snap-bootstrap seed reading with new seed.ReadSystemEssential - interfaces: allow snap-update-ns to read /proc/cmdline - tests: new organization for nested tests - o/snapstate, features: add feature flags for disk space awareness - tests: workaround for cups issue on 20.10 where default printer is not configured. - interfaces: update cups-control and add cups for providing snaps - boot: keep track of the original asset when observing updates - tests: simplify and fix tests for disk space checks on snap remove - sysconfig/cloudinit.go: add AllowCloudInit and use GadgetDir for cloud.conf - tests/main: mv core specific tests to core suite - tests/lib/nested.sh: reset the TPM when we create the uc20 vm - devicestate: rename "mockLogger" to "logbuf" - many: introduce ContentChange for tracking gadget content in observers - many: fix partion vs partition typo - bootloader: retrieve boot chains from bootloader - devicestate: add tests around logging in RequestSystemAction - boot: handle canceled update - bootloader: tweak doc comments (thanks Samuele) - seed/seedwriter: test local asserted snaps with UC20 grade signed - sysconfig/cloudinit.go: add DisableNoCloud to CloudInitRestrictOptions - many: use BootFile type in load sequences - boot,bootloader: clarifications after the changes to introduce bootloader.Options.Role - boot,bootloader,gadget: apply new bootloader.Options.Role - o/snapstate, features: add feature flag for disk space check on remove - testutil: add checkers for symbolic link target - many: refactor tpm seal parameter setting - boot/bootstate20: reboot to rollback to previous kernel - boot: add unit test helpers - boot: observe update & rollback of trusted assets - interfaces/utf: Add MIRKey to u2f devices - o/devicestate/devicestate_cloudinit_test.go: test cleanup for uc20 cloud-init tests - many: check that users of BaseTest don't forget to consume cleanups - tests/nested/core20/tpm: verify trusted boot assets tracking - github: run macOS job with Go 1.14 - many: misc doc-comment changes and typo fixes - o/snapstate: disk space check with InstallMany - many: cloud-init cleanups from previous PR's - tests: running tests on opensuse leap 15.2 - run-checks: check for dirty build tree too - vendor: run ./get-deps.sh to update the secboot hash - tests: update listing test for "-dirty" versions - overlord/devicestate: do not release the state lock when updating gadget assets - secboot: read kernel efi image from snap file - snap: add size to the random access file return interface - daemon: correctly parse Content-Type HTTP header. - tests: account for apt-get on core18 - cmd/snap-bootstrap/initramfs-mounts: compute string outside of loop - mkversion.sh: simple hack to include dirty in version if the tree is dirty - cgroup,snap: track hooks on system bus only - interfaces/systemd: compare dereferenced Service - run-checks: only check files in git for misspelling - osutil: add a package doc comment (via doc.go) - boot: complain about reused asset name during initial install - snapstate: installSize helper that calculates total size of snaps and their prerequisites - snapshots: export of snapshots - boot/initramfs_test.go: reset boot vars on the bootloader for each iteration ==== tzdata: 2020a-0ubuntu0.16.04 => 2020d-0ubuntu0.16.04 ==== ==== tzdata * New upstream version (LP: #1901020), affecting past and future timestamps: - Palestine ends DST earlier than predicted, on 2020-10-24. - Fiji starts DST later than usual, on 2020-12-20. - Revised predictions for Morocco's changes starting in 2023. - Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. - Macquarie Island has stayed in sync with Tasmania since 2011. - Casey, Antarctica is at +08 in winter and +11 in summer since 2018. * Restore old SystemV timezones. ==== ubuntu-release-upgrader: 1:16.04.30 => 1:16.04.32 ==== ==== python3-distupgrade ubuntu-release-upgrader-core [ Chad Smith ] * data/mirrors.cfg: add ubuntu advantage pro PPA url as valid mirror (LP: #1893717) * DistUpgrade/DistUpgradeController.py: release cache lock during runPostInstallScripts (LP: #1897778) * data/mirrors.cfg: add all ubuntu-advantage services as valid mirrors. This includes: fips, fips-updates, esm-infra, esm-apps and cc-eal. (LP: #1893717) ==== vim: 2:7.4.1689-3ubuntu1.4 => 2:7.4.1689-3ubuntu1.5 ==== ==== vim vim-common vim-runtime vim-tiny * SECURITY UPDATE: incorrect group ownership of .swp file - debian/patches/CVE-2017-17087.patch: use correct group in src/fileio.c. - CVE-2017-17087 * SECURITY UPDATE: rvim restricted mode circumvention - debian/patches/CVE-2019-20807-pre1.patch: add checks for restricted and secure in src/eval.c. - debian/patches/CVE-2019-20807-pre2.patch: update documentation in runtime/doc/starting.txt. - debian/patches/CVE-2019-20807-1.patch: disable using interfaces in restricted mode in runtime/doc/starting.txt, src/eval.c, src/ex_cmds.c, src/ex_docmd.c, src/if_perl.xs, src/testdir/Make_all.mak, src/testdir/test_restricted.vim. - debian/patches/CVE-2019-20807-2.patch: missing some changes for Ex commands in src/ex_cmds.h. - CVE-2019-20807 -- [1] http://cloud-images.ubuntu.com/releases/xenial/release-20201111/ [2] http://cloud-images.ubuntu.com/releases/xenial/release-20201014/