A new release of the Ubuntu Cloud Images for stable Ubuntu release 18.04 LTS (Bionic Beaver) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * bind9: 1:9.11.3+dfsg-1ubuntu1.17 => 1:9.11.3+dfsg-1ubuntu1.18 * curl: 7.58.0-2ubuntu3.19 => 7.58.0-2ubuntu3.20 * linux-meta: 4.15.0.192.177 => 4.15.0.193.178 * linux-signed: 4.15.0-192.203 => 4.15.0-193.204 * sqlite3: 3.22.0-1ubuntu0.5 => 3.22.0-1ubuntu0.6 * systemd: 237-3ubuntu10.53 => 237-3ubuntu10.56 * tzdata: 2022a-0ubuntu0.18.04 => 2022c-0ubuntu0.18.04.0 * vim: 2:8.0.1453-1ubuntu1.8 => 2:8.0.1453-1ubuntu1.9 The following is a complete changelog for this image. new: {'linux-headers-4.15.0-193': '4.15.0-193.204', 'linux-headers-4.15.0-193-generic': '4.15.0-193.204', 'linux-modules-4.15.0-193-generic': '4.15.0-193.204'} removed: {'linux-headers-4.15.0-192': '4.15.0-192.203', 'linux-modules-4.15.0-192-generic': '4.15.0-192.203', 'linux-headers-4.15.0-192-generic': '4.15.0-192.203'} changed: ['bind9-host', 'curl', 'dnsutils', 'libbind9-160:amd64', 'libcurl3-gnutls:amd64', 'libcurl4:amd64', 'libdns-export1100', 'libdns1100:amd64', 'libirs160:amd64', 'libisc-export169:amd64', 'libisc169:amd64', 'libisccc160:amd64', 'libisccfg160:amd64', 'liblwres160:amd64', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libsqlite3-0:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'linux-headers-generic', 'linux-headers-virtual', 'linux-image-4.15.0-193-generic', 'linux-image-virtual', 'linux-virtual', 'systemd', 'systemd-sysv', 'tzdata', 'udev', 'vim', 'vim-common', 'vim-runtime', 'vim-tiny', 'xxd'] new snaps: {} removed snaps: {} changed snaps: [] ==== bind9: 1:9.11.3+dfsg-1ubuntu1.17 => 1:9.11.3+dfsg-1ubuntu1.18 ==== ==== bind9-host dnsutils libbind9-160:amd64 libdns-export1100 libdns1100:amd64 libirs160:amd64 libisc-export169:amd64 libisc169:amd64 libisccc160:amd64 libisccfg160:amd64 liblwres160:amd64 * SECURITY UPDATE: Processing large delegations may severely degrade resolver performance - debian/patches/CVE-2022-2795.patch: add limit to lib/dns/resolver.c. - CVE-2022-2795 * SECURITY UPDATE: memory leak in ECDSA DNSSEC verification code - debian/patches/CVE-2022-38177.patch: fix return handling in lib/dns/opensslecdsa_link.c. - CVE-2022-38177 * SECURITY UPDATE: memory leaks in EdDSA DNSSEC verification code - debian/patches/CVE-2022-38178.patch: fix return handling in lib/dns/openssleddsa_link.c. - CVE-2022-38178 ==== curl: 7.58.0-2ubuntu3.19 => 7.58.0-2ubuntu3.20 ==== ==== curl libcurl3-gnutls:amd64 libcurl4:amd64 * SECURITY UPDATE: when curl sends back cookies with control bytes a HTTP(S) server may return a 400 response - debian/patches/CVE-2022-35252.patch: adds invalid_octets function to lib/cookie.c to reject cookies with control bytes - CVE-2022-35252 ==== linux-meta: 4.15.0.192.177 => 4.15.0.193.178 ==== ==== linux-headers-generic linux-headers-virtual linux-image-virtual linux-virtual * Bump ABI 4.15.0-193 ==== linux-signed: 4.15.0-192.203 => 4.15.0-193.204 ==== ==== linux-image-4.15.0-193-generic * Master version: 4.15.0-193.204 ==== sqlite3: 3.22.0-1ubuntu0.5 => 3.22.0-1ubuntu0.6 ==== ==== libsqlite3-0:amd64 * SECURITY UPDATE: null pointer dereference in INTERSEC query processing - debian/patches/CVE-2020-35525.patch: early-out on the INTERSECT query processing following an error in src/select.c. - CVE-2020-35525 ==== systemd: 237-3ubuntu10.53 => 237-3ubuntu10.56 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv udev * debian/udev.preinst: Add check_ID_NET_DRIVER() to ensure that on upgrade or install from an earlier version ID_NET_DRIVER is present on network interfaces. (LP: #1988119) * d/p/lp1988119-udev-re-assign-ID_NET_DRIVER-ID_NET_LINK_FILE-ID_NET.patch: Run net_setup_link on 'change' uevents, important for users of the hv_netvsc driver on Azure. (LP: #1988119) * SECURITY UPDATE: Use-after-free vulnerability in systemd. - debian/patches/CVE-2022-2526.patch: pin stream while calling callbacks for it in src/resolve/resolved-dns-stream.c - CVE-2022-2526 ==== tzdata: 2022a-0ubuntu0.18.04 => 2022c-0ubuntu0.18.04.0 ==== ==== tzdata * New upstream release (LP: #1986984): - Chile will spring forward on 2022-09-11, not 2022-09-04 - Iran no longer observes DST * d/po/*.po: change Kiev msgids to Kyiv to reflect upstream change ==== vim: 2:8.0.1453-1ubuntu1.8 => 2:8.0.1453-1ubuntu1.9 ==== ==== vim vim-common vim-runtime vim-tiny xxd * SECURITY UPDATE: heap based buffer overflow in spelling suggestion function - debian/patches/CVE-2022-0943.patch: adjust "badlen". - CVE-2022-0943 * SECURITY UPDATE: use-after-free when processing regular expressions in old engine - debian/patches/CVE-2022-1154.patch: after getting mark get the line again. - CVE-2022-1154 * SECURITY UPDATE: buffer overflow when using invalid command with composing chars - debian/patches/CVE-2022-1616.patch: check that the whole character fits in the buffer. - CVE-2022-1616 * SECURITY UPDATE: heap buffer overflow when processing CTRL-W in latin1 encoding - debian/patches/CVE-2022-1619.patch: check already being at the start of the command line. - CVE-2022-1619 * SECURITY UPDATE: NULL pointer access when using invalid pattern - debian/patches/CVE-2022-1620.patch: check for failed regexp program. - CVE-2022-1620 * SECURITY UPDATE: heap buffer overflow when processing invalid character added to word list - debian/patches/CVE-2022-1621.patch: check for a valid word string. - debian/patches/remove_test_spell_single_word.patch: removal of test test_spell_single_word from src/testdir/test_spell.vim - CVE-2022-1621 -- [1] http://cloud-images.ubuntu.com/releases/bionic/release-20220921/ [2] http://cloud-images.ubuntu.com/releases/bionic/release-20220901/