A new release of the Ubuntu Cloud Images for stable Ubuntu release 20.04 LTS (Focal Fossa) is available at [1]. These new images superseded the existing images [2]. Images are available for download or immediate use on EC2 via publish AMI ids. Users who wish to update their existing installations can do so with: 'sudo apt-get update && sudo apt-get dist-upgrade && sudo reboot'. The following packages have been updated. Please see the full changelogs for a complete listing of changes: * base-files: 11ubuntu5 => 11ubuntu5.1 * grub2: 2.04-1ubuntu26 => 2.04-1ubuntu26.1 * grub2-signed: 1.142.1+2.04-1ubuntu26 => 1.142.3+2.04-1ubuntu26.1 * libseccomp: 2.4.3-1ubuntu3.20.04.2 => 2.4.3-1ubuntu3.20.04.3 * python3.8: 3.8.2-1ubuntu1.1 => 3.8.2-1ubuntu1.2 * python-apt: 2.0.0 => 2.0.0ubuntu0.20.04.1 * sqlite3: 3.31.1-4ubuntu0.1 => 3.31.1-4ubuntu0.2 * systemd: 245.4-4ubuntu3.1 => 245.4-4ubuntu3.2 * ubuntu-release-upgrader: 1:20.04.21 => 1:20.04.23 The following is a complete changelog for this image. new: {} removed: {} changed: ['base-files', 'grub-common', 'grub-efi-amd64-bin', 'grub-efi-amd64-signed', 'grub-pc', 'grub-pc-bin', 'grub2-common', 'libnss-systemd:amd64', 'libpam-systemd:amd64', 'libpython3.8-minimal:amd64', 'libpython3.8-stdlib:amd64', 'libpython3.8:amd64', 'libseccomp2:amd64', 'libsqlite3-0:amd64', 'libsystemd0:amd64', 'libudev1:amd64', 'python-apt-common', 'python3-apt', 'python3-distupgrade', 'python3.8', 'python3.8-minimal', 'systemd', 'systemd-sysv', 'systemd-timesyncd', 'ubuntu-release-upgrader-core', 'udev'] new snaps: {} removed snaps: {} changed snaps: ['lxd'] ==== base-files: 11ubuntu5 => 11ubuntu5.1 ==== ==== base-files * /etc/issue, /etc/issue.net, /etc/lsb-release, /etc/os-release: Bump version number to 20.04.1 in preparation of the next point release. ==== grub2: 2.04-1ubuntu26 => 2.04-1ubuntu26.1 ==== ==== grub-common grub-efi-amd64-bin grub-pc grub-pc-bin grub2-common [ Julian Andres Klode ] * Move gettext patches out of git-dpm's way, so it does not delete them [ Chris Coulson ] * SECURITY UPDATE: Heap buffer overflow when encountering commands that cannot be tokenized to less than 8192 characters. - 0082-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch: Make fatal lexer errors actually be fatal - CVE-2020-10713 * SECURITY UPDATE: Multiple integer overflow bugs that could result in heap buffer allocations that were too small and subsequent heap buffer overflows when handling certain filesystems, font files or PNG images. - 0083-safemath-Add-some-arithmetic-primitives-that-check-f.patch: Add arithmetic primitives that allow for overflows to be detected - 0084-calloc-Make-sure-we-always-have-an-overflow-checking.patch: Make sure that there is always an overflow checking implementation of calloc() available - 0085-calloc-Use-calloc-at-most-places.patch: Use calloc where appropriate - 0086-malloc-Use-overflow-checking-primitives-where-we-do-.patch: Use overflow-safe arithmetic primitives when performing allocations based on the results of operations that might overflow - 0094-hfsplus-fix-two-more-overflows.patch: Fix integer overflows in hfsplus - 0095-lvm-fix-two-more-potential-data-dependent-alloc-over.patch: Fix more potential integer overflows in lvm - CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 * SECURITY UPDATE: Use-after-free when executing a command that causes a currently executing function to be redefined. - 0092-script-Remove-unused-fields-from-grub_script_functio.patch: Remove unused fields from grub_script_function - 0093-script-Avoid-a-use-after-free-when-redefining-a-func.patch: Avoid a use-after-free when redefining a function during execution - CVE-2020-15706 * SECURITY UPDATE: Integer overflows that could result in heap buffer allocations that were too small and subsequent heap buffer overflows during initrd loading. - 0105-linux-Fix-integer-overflows-in-initrd-size-handling.patch: Fix integer overflows in initrd size handling - 0106-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch: Fix integer overflows in linuxefi grub_cmd_initrd - CVE-2020-15707 * Various fixes as a result of code review and static analysis: - 0087-iso9660-Don-t-leak-memory-on-realloc-failures.patch: Fix a memory leak on realloc failures when processing symbolic links - 0088-font-Do-not-load-more-than-one-NAME-section.patch: Fix a memory leak when processing font files with more than one NAME section - 0089-gfxmenu-Fix-double-free-in-load_image.patch: Zero self->bitmap after it is freed in order to avoid a potential double free later on - 0090-lzma-Make-sure-we-don-t-dereference-past-array.patch: Fix an out-of-bounds read in LzmaEncode - 0091-tftp-Do-not-use-priority-queue.patch: Refactor tftp to not use priority queues and fix a double free - 0096-efi-fix-some-malformed-device-path-arithmetic-errors.patch: Fix various arithmetic errors with malformed device paths - 0098-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch: Fix a NULL deref in the chainloader command introduced by a previous patch - 0099-efi-Fix-use-after-free-in-halt-reboot-path.patch: Fix a use-after-free in the halt and reboot commands by not freeing allocated memory in these paths - 0100-chainloader-Avoid-a-double-free-when-validation-fail.patch: Avoid a double free in the chainloader command when validation fails - 0101-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch: Protect grub_relocator_alloc_chunk_addr input arguments against integer overflow / underflow - 0102-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch: Protect grub_relocator_alloc_chunk_align max_addr argument against integer underflow - 0103-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch: Fix grub_relocator_alloc_chunk_align top memory allocation - 0104-linux-loader-avoid-overflow-on-initrd-size-calculati.patch: Avoid overflow on initrd size calculation [ Dimitri John Ledkov ] * SECURITY UPDATE: Grub does not enforce kernel signature validation when the shim protocol isn't present. - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch: Fail kernel validation if the shim protocol isn't available - CVE-2020-15705 ==== grub2-signed: 1.142.1+2.04-1ubuntu26 => 1.142.3+2.04-1ubuntu26.1 ==== ==== grub-efi-amd64-signed ==== libseccomp: 2.4.3-1ubuntu3.20.04.2 => 2.4.3-1ubuntu3.20.04.3 ==== ==== libseccomp2:amd64 * d/p/db-consolidate-some-of-the-code-which-adds-rules.patch * d/p/db-add-shadow-transactions.patch (LP: #1861177) Backport upstream patches to address performance regression introduced in libseccomp 2.4. ==== python-apt: 2.0.0 => 2.0.0ubuntu0.20.04.1 ==== ==== python-apt-common python3-apt * Update mirror lists. ==== python3.8: 3.8.2-1ubuntu1.1 => 3.8.2-1ubuntu1.2 ==== ==== libpython3.8-minimal:amd64 libpython3.8-stdlib:amd64 libpython3.8:amd64 python3.8 python3.8-minimal * SECURITY UPDATE: Infinite loop - debian/patches/CVE-2019-20907.patch: avoid infinite loop in the tarfile module in Lib/tarfile.py, Lib/test/test_tarfile.py and add Lib/test/recursion.tar binary for test. - CVE-2019-20907 * SECURITY UPDATE: Denial of service - debian/patches/CVE-2020-14422.patch: Resolve hash collisions for IPv4Interface and IPv6Interface in Lib/ipaddress.py, Lib/test/test_ipaddress.py. - CVE-2020-14422 ==== sqlite3: 3.31.1-4ubuntu0.1 => 3.31.1-4ubuntu0.2 ==== ==== libsqlite3-0:amd64 * SECURITY UPDATE: multiSelectOrderBy heap overflow - debian/patches/CVE-2020-15358.patch: fix defect in the query-flattener optimization in src/select.c, src/sqliteInt.h, test/selectA.test. - CVE-2020-15358 ==== systemd: 245.4-4ubuntu3.1 => 245.4-4ubuntu3.2 ==== ==== libnss-systemd:amd64 libpam-systemd:amd64 libsystemd0:amd64 libudev1:amd64 systemd systemd-sysv systemd-timesyncd udev [ Dan Streetman ] * Hotadd only offline memory and CPUs (LP: #1876018) File: debian/extra/rules-ubuntu/40-vm-hotadd.rules https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=72d815471596056b7727be5b10f87513ff1d5757 * Lock swap blockdevice while calling mkswap (LP: #1838329) Files: - d/p/lp1838329/0001-blockdev-propagate-one-more-unexpected-error.patch - d/p/lp1838329/0002-makefs-log-about-OOM-condition.patch - d/p/lp1838329/0003-dissect-use-log_debug_errno-where-appropriate.patch - d/p/lp1838329/0004-blockdev-add-helper-for-locking-whole-block-device.patch - d/p/lp1838329/0005-makefs-lock-device-while-we-operate.patch - d/p/lp1838329/0006-makefs-normalize-logging-a-bit.patch - d/p/lp1838329/0007-cryptsetup-generator-use-systemd-makefs-for-implemen.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c81b75c4297cbb04554488b070b6f79996b8cceb [ Balint Reczey ] * debian/udev.postinst: Allow kvm to be an already present non-system group (LP: #1880541) File: debian/udev.postinst https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=8b5c31828d4323ddb719326b1316c179b7cdbdef * d/p/hwdb-Mask-rfkill-event-from-intel-hid-on-HP-platforms.patch: hwdb: Mask rfkill event from intel-hid on HP platforms (LP: #1883846) https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=164c016b466210c7d6d05963fd753eccf4679844 * journald: stream pid change newline fix (LP: #1875708) Files: - debian/patches/lp1875708/journald-Increase-stdout-buffer-size-sooner-when-almost-f.patch - debian/patches/lp1875708/journald-rework-end-of-line-marker-handling-to-use-a-fiel.patch - debian/patches/lp1875708/journald-rework-pid-change-handling.patch - debian/patches/lp1875708/journald-use-log_warning_errno-where-appropriate.patch - debian/patches/lp1875708/journald-use-the-fact-that-client_context_release-returns.patch - debian/patches/lp1875708/man-document-the-new-_LINE_BREAK-type.patch - debian/patches/lp1875708/socket-util-introduce-type-safe-dereferencing-wrapper-CMS.patch - debian/patches/lp1875708/test-Add-a-test-case-for-15654.patch https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2dc19f7ae4aad7277e9d89849182453ff1d046dc ==== ubuntu-release-upgrader: 1:20.04.21 => 1:20.04.23 ==== ==== python3-distupgrade ubuntu-release-upgrader-core * data/DistUpgrade.cfg: remove xscreensaver from the PostUpgradeRemove rule for ubuntu-desktop as it is no longer necessary. (LP: #1875107) * DistUpgrade/DistUpgradeController.py: set a default value for devRelease all the time. (LP: #1882069) * DistUpgrade/DistUpgradeQuirks.py: Update the quirk for handling the transition from python-minimal to python2-minimal so that it runs during a prepare stage and an install stage. Thanks to Lukas Mrdian for the fix. (LP: #1875523) -- [1] http://cloud-images.ubuntu.com/releases/focal/release-20200729/ [2] http://cloud-images.ubuntu.com/releases/focal/release-20200720/