A new release of the Ubuntu Cloud Images for stable Ubuntu release 18.04 LTS (Bionic Beaver) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * git: 1:2.17.1-1ubuntu0.9 => 1:2.17.1-1ubuntu0.10 * gzip: 1.6-5ubuntu1.1 => 1.6-5ubuntu1.2 * klibc: 2.0.4-9ubuntu2 => 2.0.4-9ubuntu2.1 * linux-meta: 4.15.0.175.164 => 4.15.0.176.165 * linux-signed: 4.15.0-175.184 => 4.15.0-176.185 * xz-utils: 5.2.2-1.3 => 5.2.2-1.3ubuntu0.1 The following is a complete changelog for this image. new: {'linux-headers-4.15.0-176-generic': '4.15.0-176.185', 'linux-modules-4.15.0-176-generic': '4.15.0-176.185', 'linux-headers-4.15.0-176': '4.15.0-176.185'} removed: {'linux-headers-4.15.0-175': '4.15.0-175.184', 'linux-headers-4.15.0-175-generic': '4.15.0-175.184', 'linux-modules-4.15.0-175-generic': '4.15.0-175.184'} changed: ['git', 'git-man', 'gzip', 'klibc-utils', 'libklibc', 'liblzma5:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.15.0-176-generic', 'linux-image-virtual', 'linux-virtual', 'xz-utils'] new snaps: {} removed snaps: {} changed snaps: [] ==== git: 1:2.17.1-1ubuntu0.9 => 1:2.17.1-1ubuntu0.10 ==== ==== git git-man * SECURITY UPDATE: Run commands in diff users - debian/patches/CVE-2022-24765-*.patch: fix GIT_CEILING_DIRECTORIES; add an owner check for the top-level-directory; add a function to determine whether a path is owned by the current user in patch.c, t/t0060-path-utils.sh, setup.c, compat/mingw.c, compat/mingw.h, git-compat-util.hi, config.c, config.h. - CVE-2022-24765 ==== gzip: 1.6-5ubuntu1.1 => 1.6-5ubuntu1.2 ==== ==== gzip * SECURITY UPDATE: arbitrary file override with crafted file names - debian/patches/CVE-2022-1271-1.patch: avoid exploit via multi-newline file names in zgrep.in. - debian/patches/CVE-2022-1271-2.patch: add test in tests/Makefile.am, tests/zgrep-abuse. - debian/patches/CVE-2022-1271-3.patch: port to POSIX sed in zgrep.in. - debian/patches/CVE-2022-1271-4.patch: optimize out a grep in gzexe.in. - debian/patches/CVE-2022-1271-5.patch: use C locale more often in gzexe.in, sample/zfile, zdiff.in, zgrep.in, znew.in. - debian/patches/CVE-2022-1271-6.patch: fix "binary file matches" mislabeling in tests/Makefile.am, tests/zgrep-binary, zgrep.in. - debian/rules: fix permissions on new test scripts. - CVE-2022-1271 ==== klibc: 2.0.4-9ubuntu2 => 2.0.4-9ubuntu2.1 ==== ==== klibc-utils libklibc * SECURITY UPDATE: integer overflow in calloc - debian/patches/CVE-2021-31870.patch: add overflow check when performing the multiplication in usr/klibc/calloc.c. - CVE-2021-31870 * SECURITY UPDATE: integer overflow in cpio - debian/patches/CVE-2021-31871.patch: remove cast to unsigned to avoid a possible overflow in 64 bit systems in usr/utils/cpio.c. - CVE-2021-31871 * SECURITY UPDATE: integer overflow in read_in_new_ascii - debian/patches/CVE-2021-31872.patch: ensure that c_namesize and c_filesize are smaller than LONG_MAX in usr/utils/cpio.c. - CVE-2021-31872 * SECURITY UPDATE: integer overflow in malloc - debian/patches/CVE-2021-31873.patch: ensure that size is smaller than PTRDIFF_MAX in usr/klibc/malloc.c. - CVE-2021-31873 ==== linux-meta: 4.15.0.175.164 => 4.15.0.176.165 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.15.0-176 ==== linux-signed: 4.15.0-175.184 => 4.15.0-176.185 ==== ==== linux-image-4.15.0-176-generic * Master version: 4.15.0-176.185 ==== xz-utils: 5.2.2-1.3 => 5.2.2-1.3ubuntu0.1 ==== ==== liblzma5:amd64 xz-utils * SECURITY UPDATE: arbitrary file overwrite or code execution with crafted file names - debian/patches/CVE-2022-1271.patch: fix escaping of malicious filenames in src/scripts/xzgrep.in. - CVE-2022-1271 -- [1] http://cloud-images.ubuntu.com/releases/bionic/release-20220419/ [2] http://cloud-images.ubuntu.com/releases/bionic/release-20220411/